Forums

Restrict access to records, not pages (Security Issue) Cancel The title field is required!

1. Mason Ambery

   

   67 posts
   Registered:
   19 Nov 2021
   11 Aug 2023

   Link to this post

   How can I enforce security at a record level, not page level.  In  y example I have two users with access to the same page but the records returned from CRM are filtered based on their specific records.  The listings that allow front end access are working and displaying on their records.
   
   The issue is, I can copy the url from one user's record detail page, logout, login as a different user, and paste the URL into the browser and access the record.
   
   I came from the old ADXstudio solution that used entity permissions which where assigned to security roles.  These entity permission controlled whether a user had access to all, related record or only their records.  I can't find anything that is similar to this other than the filter logic when generating data in a grid or subgrid.  
   
   I need a way to prevent unauthorized access to records by individuals that obtain URLs for records not displayed from the grids or subgrids.
   
2. Eric Mann

   

   59 posts
   Registered:
   16 Oct 2020
   14 Aug 2023 in reply to Mason Ambery

   Link to this post

   Mason,
   Coming from Peak Portals I had same experience / transition and I hope TPC invests in this area of form/subsequent page from grid as a security control at portal user logged in. 
   Our workaround has been JavaScript combined with Saved Query but hate that I have to do this on client side. 
   
   Eric 
3. Rawdon Edghill

   

   76 posts
   Registered:
   16 Dec 2020
   14 Aug 2023

   Link to this post

   Hi Mason,
   
   Thank you for your question.
   
   Can I get you to turn the GUID encryption back on?
   
   Regards,
   Rawdon
4. Mason Ambery

   

   67 posts
   Registered:
   19 Nov 2021
   14 Aug 2023 in reply to Rawdon Edghill

   Link to this post

   I have it turned off because I provide a link to the record through a email workflow process in CRM.  I need to be able to send email notifications with links to the records to keep the user from having to login and then scroll or search for the record within a list.  It's my understanding that I have to set the encryption to false to be able to create the url within the crm workflow.
5. Rawdon Edghill

   

   76 posts
   Registered:
   16 Dec 2020
   15 Aug 2023

   Link to this post

   Hi Mason,
   
   Turning on Encryption GUIDS would be the preferred approach in this scenario for enhancing security.
   However, if you need to have encryption GUIDS turned off due to the requirements of generating URLs within the CRM workflow I would recommend these two options: Enforcing via Code Behind: (https://www.progress.com/blogs/sitefinity_and_the_asp_net_code-behind_model) this would involve implementing custom code within Sitefinity to handle or check the relationship between the logged-in user and any records they are attempting to access.
   Another option would be using a Custom Widget. Both options you will need to know the relationship to the logged-in user that way you can check it in the CRM.
   
   I hope this information helps.
   
   Regards,
   Rawdon

   Last modified on 15 Aug 2023 20:08 by Rawdon Edghill
6. Mason Ambery

   

   67 posts
   Registered:
   19 Nov 2021
   23 Aug 2023 in reply to Rawdon Edghill

   Link to this post

   If I set the encrypt GUIDS back to Yes, is there a way to generate an email from CRM with a link to the specific record?  Based on my testing, setting this back to yes changes the ID value although selecting the same record returns the same encrypted id.  When trying to copy and paste the URL across different users, the form is displayed but no data is displayed within the form.  Is the generation of the encrypted guid specific to the logged in user?  This is what it looks like based on some quick testing and inspecting the id value.