NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: astahl on August 08, 2016, 12:21:02 PM

Title: How to Stop access of webpages when not under the correct menu item?
Post by: astahl on August 08, 2016, 12:21:02 PM

Hi,

I have a menu item called "Admin" which is hidden from users with a lower level. But if a user logs in say as a level one there is nothing from stopping them from typing in the address bar "https://www.mywebsite.com/Admin/SomeForm" and getting that page called up.

How does one stop that from happening? This is being done on a penatration test.
SomeForm is under a different menu item which they can access.

Ashley

Title: Re: How to Stop access of webpages when not under the correct menu item?
Post by: Vinnie on August 09, 2016, 12:25:18 AM

Hi Ashley

On the form being called goto security tab  User must be logged in and also Session Level.

This should be done for each form or browse not just the menu item

Cheers

vinnie

Title: Re: How to Stop access of webpages when not under the correct menu item?
Post by: astahl on August 09, 2016, 04:28:30 AM

Hi Vinnie,

I have all forms and browses set to "User must be logged in" and "user level >=" is set to the level one requires.
The "Admin" page is set to a higher security level than a normal user would be allowed ever to be.

So the question is why can anyone who is logged in as a user can access a form not associated with the "Admin" menu structure?

If the user is not logged in they of course cannot access any of the heightened security level pages.

Ashley

Title: Re: How to Stop access of webpages when not under the correct menu item?
Post by: Stu on August 09, 2016, 04:25:20 PM

Hi Ashley,

One thing to be aware of is that there is no hard link between a menu and it's items and a browse/form entity in the way you are thinking.

The menu is just that. It's a bunch of links.

Setting a menu item to only be seen by a particular user filter doesn't affect the form itself, it only affects that menu item.

So it's in the form itself that you muck about with the security for that form.

If someone is able to access a form when they shouldn't be, then we probably need to go into more specific details about the issue.

* A good way to test this is to, on login, set a made up session variable to one, like .. p_web.SSV('oktoaccess:ContactForm',1), and then on the form, set the special security to check for that particular session variable being 1 (remove the level specific check).

That'll help you understand a little more what might be happening.