PDA

View Full Version : Server Action Security Check Error - on cWebSuggestionForm



Joseph Mullins
30-Mar-2022, 08:10 AM
Since updating to DF 20.1 we are getting this weird error that keeps randomly coming up when on production but unable to reproduce it locally. An cWebSuggestionForm prompts with a Server Action Security Check Error. This then requires a few hard refreshes of the page and then clears. This has only happened since DF 20.1 upgrade. The error is triggered as soon as you start typing, after a few refreshes, works as expected.

I can't get it happening on a smaller code sample so have to go with what's being used. Nothing else is setting the elements properties or bound to it.

15315

The code is:



Object oWebSuggestionForm4 is a cWebSuggestionForm
Set piColumnSpan to 6
Set psLabel to "Employee"
Set piStartAtChar to 1
Set peSuggestionMode to smCustom
Set pbCaseSensitive to False

Procedure OnFindSuggestions String sSearch tSuggestion[] ByRef aSuggestions
Integer iCount


Get SQLEscapedStr of oEmployee_DD sSearch to sSearch

Send Clear to oEmployee_DD
Set pbUseDDSQLFilters of oEmployee_DD to True
Set psSQLFilter of oEmployee_DD to (SFormat("lower(name) like lower('%%%1%')", sSearch))
Send Rebuild_Constraints of oEmployee_DD
Send Find of oEmployee_DD GT 3
While (Found)
Move (SerializeRowID(CurrentRowId(oEmployee_DD))) to aSuggestions[iCount].sRowId
Get Field_Current_Value of oEmployee_DD Field Employee.Name to aSuggestions[iCount].aValues[0]
Increment iCount

Send Find of oEmployee_DD GT 3
Loop
End_Procedure

Procedure OnSelectSuggestion String sSearch tSuggestion Suggestion
String sName
Send FindByRowId of oEmployee_DD Employee.File_Number (DeserializeRowID(Suggestion.sRowId))
Set Constrain_File of oTimesheet_DD to Employee.File_Number

Get Field_Current_Value of oEmployee_DD Field Employee.Name to sName
WebSet psValue to sName
Send Rebuild_Constraints of oTimesheet_DD
Send FindFromTop of oList
End_Procedure

Procedure OnLoad
Integer iRights
Get piUserRights of ghoWebSessionManager to iRights
Set pbRender to (iRights = 999)
End_Procedure
End_Object

Albin
30-Mar-2022, 08:18 AM
Hi.

I think it is the OnLoad. You change pbRender in there.
Try adding this to the cWebSuggestion Object:
Set pbNoAccessibilityCheck to True

It will disable the secutity check.

Samuel Pizarro
30-Mar-2022, 08:33 AM
I don't think so.

he said the error happens when he starts typing.. so, if that is true, the pbrender was set to true, otherwise he would not be able to type in the form.

and if this is really the cause, we may have a hidden bug somewhere. assuming he posted all the relevant code..

Samuel Pizarro
30-Mar-2022, 08:34 AM
Are you changing the form properties dinamcally somewhere else, like pbRender, pbEnabled, or something else, in any other event hooks ?

Also, what was your previous release version, where this was working fine, before upgrading to 20.1 ?

Joseph Mullins
30-Mar-2022, 08:36 AM
Yeah,

The pbRender change works perfectly for showing/hiding depending on the permissions. If the rights are less, it shouldn't show, so I think disabling the security check would defeat that?

Joseph Mullins
30-Mar-2022, 08:37 AM
No where else, it is a select list that admins use to filter through all the staff. The onLoad decides if it's shown when it's just a staff member there (As they don't need to filter the list past themselves).

The last version was 20.0, that's why thinking it may be a 20.1 bug... or long hidden 20.0 one.

J

Peter Bragg
30-Mar-2022, 08:39 AM
It doesn't help you (or me!) but I'm 90+% certain that I've encountered this error too. Only once, but also with a cWebSuggestionForm. I will keep my eye on it.

Samuel Pizarro
30-Mar-2022, 08:42 AM
Yes. Would defeat the security mechanism..

In other words. An advanced regular user(non admin). Could change its value ,even if its hidden.

I would let the check enabled and try to debug it deeper

Evertjan Dondergoor
30-Mar-2022, 10:49 AM
Although it has probably nothing to do with the problem, I would consider dynamically changing the SQL-Filter + constrain in a search as very risky. You'd have to make sure these filters get reset with every call, or you leave the exe with an unwanted filter. That might not run into issues, but when it does, it will be very hard to find.

Albin
31-Mar-2022, 01:24 AM
I don't think so.

he said the error happens when he starts typing.. so, if that is true, the pbrender was set to true, otherwise he would not be able to type in the form.

and if this is really the cause, we may have a hidden bug somewhere. assuming he posted all the relevant code..

Yes, but I would still try to disable it because I think thatīs what giving the error. I think Iīve seen this or something very similar before and I know disabling the security checks helped.
Of course you have to investigate why it happens but disabling it would tell if it is the security layer or not.

Harm Wibier
31-Mar-2022, 04:27 AM
Unfortunately this is a side effect of the added security layer (pbNoAccessibilityCheck (https://docs.dataaccess.com/dataflexhelp/mergedProjects/VDFClassRef/cWebBaseUIObject-Property-pbNoAccessibilityCheck.htm)). For it to function properly pbRender can't be changed dynamically using Set. So the simplest fix is to change Set pbRender into WebSet pbRender, then the accessibility check will pick up the difference between the sessions and function properly.

Of course the alternative is to set pbNoAccessibiltyCheck to true which will allow FindSuggestions to be accessed by any user (so using some custom JavaScript they could still call it and see data they should not see).

Samuel Pizarro
31-Mar-2022, 07:39 AM
Hi Harm..

Is this side-effect tied only to pbRender property, or it will be the same for all other relevant properties used/checked by the security layer. like pbEnabled, and so on ... ?

And goind forward... I think this side-effect should be docummented in relevant pages.. (the page for each property and pages associated with the security mechanism) stating that this propertyes should not be simply "Set" during onLoad anymore, but webset instead.

By the way @Dennis... the page for pbRender, pbVisible and pbEnabled shows them as regular properties.. No mention they are web-properties.
cWebBaseUIObject [Property pbRender] (dataaccess.com) (https://docs.dataaccess.com/dataflexhelp/mergedProjects/VDFClassRef/cWebBaseUIObject-Property-pbRender.htm)


Regards

Joseph Mullins
31-Mar-2022, 11:55 AM
Thanks Harm, definitely the former is preferred over the latter :)

Dennis Piccioni
31-Mar-2022, 12:57 PM
Thanks Samuel,

I'll log this.

Dennis Piccioni
6-Apr-2022, 09:13 AM
Hi Samuel,

we found the problem, the Class Ref parser wasn't correctly identifying Client Protected web properties. The fix didn't make it into today's DataFlex 2022 20.1 Release (https://support.dataaccess.com/Forums/showthread.php?68433-DataFlex-2022-Released-%96-Download-Now!), but will be in future builds and future Online Doc updates.

Samuel Pizarro
6-Apr-2022, 11:09 AM
Thanks