In a perspective view button script, I'm assigning session.props.auth.user.roles to a variable userRoles, then calling a project library script and passing userRoles as an argument.
Is this a security risk? Could userRoles be altered on the client side and therefore change the roles the project library script executes with?
It sounds like it could. Why not pass the username to the script and let the gateway check (again) what roles the user has?
Is this purely a jython variable? If so, I think it is safe. All jython scripting runs in the gateway, not in the browser, so there's no attack point.
Thanks for your responses.
@pturmel Yes it's a purely jython variable.
To @Transistor's point I was thinking of passing the perspective session id. Like username but someone might know or guess another person's username, it seems very hard to know or guess another session id. Then find the roles bases on session id.
But I'm wondering if that's just making it unnecessarily complicated?
Is it a security weakness to have "roles" as a function argument when the function is initiated from a perspective session? Could a bad actor learn the function name then initiate their own call of the function and pass it different roles?
It should be safe.
session.props.auth is a private property. It is not readable/writable from JS.
2 Likes