Question

Weird behavior of anonymous user with default homepage

1

Hi all, So we have 5 different apps that we are building for one client and two of those apps were created in Mendix 8 and updated to Mendix 9.24.4. Only in those apps we get weird behavior of the anonymous role. So we have role based homepages for all the roles, but if we remove the role based homepage for the anonymous role (which is currently our OIDC sign in page), the anonymous user is able to go to the default homepage, but it hasn't access right to the microflow triggering. This only happens in the two applications which were created in Mendix 8 and then upgraded to Mendix 9. In the other apps when role based homepage is removed we get the expected security error. Does anyone have the same issue? I'm worried our app is not secure enough now we encountered this. By the way, setting a role based home page for the anonymous user does work, but I am not sure anymore if other people can easily access the home page without the access rights. Can anyone help me clearing this? Also, we enabled the sign-in page in navigation to the OIDC sign-in page we also use as role based homepage for anonymous user, but what does this do if we have to set a role based homepage anyway? Thanks in advance!

asked 2024-01-12

Lisa van de Put

1 answers

Marius van der Knaap · Accepted Answer · 2024-01-12

Hi Lisa,

From a security perspective, pages access is actually not restricted client side. So if you know the module and page name, any page is accessible by any user. You can test this out by executing the following JavaScript from your browser console. Just replace YourModule and YourPage by anything that is present in your application, and you should be able to open any page, regardless from your current user role.

mx.ui.openForm("YourModule/YourPage.page.xml", {
    location: "content",
    callback: function(form) {
        console.log(form.id);
    }
});

I'm not sure where the discrepancy between applications comes from, but the behavior you describe seems as expected.

Either way, you should ensure that the domain model is set up properly so that access rights are enforced there. Restricting page access is not sufficient from a security perspective.