Versions Compared

Old Version 4

changes.mady.by.user Aadrian Zarin

Saved on

compared with

New Version 5

changes.mady.by.user Hugo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Limit Menu Access: You can configure permissions for individual UI  menus and/or a set of menus under a UI Category in the UI Builder. Set up permissions so that only authorized users can view or access specific UI menus or UI categories.

References:

Limit Access to Sensitive Forms Using Permissions

...

  • Restrict CRUD Operations: Ensure that users have the correct permissions to perform CRUD (Create, Read, Update, Delete) operations on forms. Using Joget’s built-in permission system, restrict which users can edit or view specific forms.
  • Protect Form URLs: Users should not be able to manipulate the URLs to access or alter data on forms. For example, URLs such as crudMenu?id=changedValue should be secured to prevent unauthorized access by manipulating the id parameter. This can be achieved by configuring the permissions at the Form Builder to ensure that only authorized users can access or alter said forms.

References:-

Examples:-

  • Limiting the access to a form record to the original creator of a form record based on the column "createdBy"
    • In the form used to access existing form record (e.g. Form mapped by CRUD > Edit), edit the form.
    • In the form builder, navigate to Settings > Permission > BeanShell. Place the following code.
      Code Block
      languagejava
      titleBeanShell Permisson
      linenumberstrue
      return "#form.TABLE_NAME.createdBy#".equals("#currentUser.username#");

2. Prevent Manipulation from End-User Browser (Front-End Security)

...

  • Use Prepared Statements: To prevent SQL injection, use prepared statements. A prepared statement is a prepared statement is a precompiled SQL Query that can help prevent SQL injection attacks by ensuring that user input is treated as data, not executable code

  • Use the SQL escape parameter in Hash Variables: If the query is a hash variable, use the ?sql escape parameter, which ensures the query is handled safely, and the data is processed properly by the server.

    • For example, in List Builder > Data Store > Database SQL Query

      Code Block
      SELECT * FROM dir_user WHERE username = '#requestParam.user?sql#'


3. Securing Form Data at the Database Level (Server-Side Security)

...