Prevent Unauthorized Operations
- 4 minutes to read
Follow strategies outlined in this help topic to prevent unauthorized server-side operations (and address CWE-284 and CWE-285 security risks).
#Restrict Edit Operations
DevExpress ASP.NET Web Forms controls allow data editing by default. Even if editing-related UI elements are hidden, threat actors can execute client-side methods or use keyboard shortcuts to alter data. This section describes how to restrict edit operations within DevExpress Web Forms UI controls.
#Data Editors
Enable the ReadOnly
property to switch a data editor to read-only mode. If a threat actor modifies a read-only editor value on the client, the editor does not load the new value to the server and resets the initial value on postback:
<dx:ASPxTextBox ID="ASPxTextBox1" runat="server" Text="123456" ReadOnly="True" />
#Diagram
Enable the ReadOnly property to activate read-only mode in the Diagram control:
<dx:ASPxDiagram ID="Diagram" runat="server" ReadOnly="true" />
The Diagram control allows you to prohibit individual edit operations. Refer to the following topic for additional information: Restrict Edit Operations.
#Grid-Like Controls
Use AllowDelete
, AllowEdit
, and AllowInsert
properties to disable CRUD operations in the Card View, Grid View, Pivot Grid, TreeList, and Vertical Grid controls. The following code snippet disables delete, edit, and insert operations in the Grid View:
<dx:ASPxGridView ID="grid" runat="server" DataSourceID="DemoDataSource1" KeyFieldName="CustomerID">
<Columns>
<dx:GridViewDataColumn FieldName="ContactName" />
<dx:GridViewDataColumn FieldName="CompanyName" />
<dx:GridViewDataColumn FieldName="City" />
<dx:GridViewDataColumn FieldName="Region" />
<dx:GridViewDataColumn FieldName="Country" />
</Columns>
<SettingsDataSecurity AllowDelete="False" AllowEdit="False" AllowInsert="False" />
</dx:ASPxGridView>
#Gantt
Set the SettingsEditing.Enabled property to false
to disable all edit operations in the Gantt control:
<dx:ASPxGantt ID="Gantt" runat="server">
<SettingsEditing Enabled="False" />
</dx:ASPxGantt>
Disable Allow<Element>Insert
, Allow<Element>Update
, and Allow<Element>Delete
settings to restrict individual edit operations:
<dx:ASPxGantt ID="Gantt" runat="server">
<SettingsEditing AllowTaskInsert="False"
AllowDependencyInsert="False"
AllowResourceAssignmentInsert="False" />
</dx:ASPxGantt>
#Rich Text Editor
Enable the ReadOnly property to activate read-only mode in the Rich Text Editor:
<dx:ASPxRichEdit ID="DemoRichEdit" runat="server" ReadOnly="true" />
#Scheduler
To disable CRUD operations in the Scheduler control, set AllowAppointmentCreate, AllowAppointmentDelete, and AllowAppointmentEdit to None
:
<dx:ASPxScheduler ID="ASPxScheduler1" runat="server" AppointmentDataSourceID="AppointmentDataSource"
ResourceDataSourceID="efResourceDataSource">
<OptionsCustomization AllowAppointmentCreate="None"
AllowAppointmentDelete="None"
AllowAppointmentEdit="None" />
</dx:ASPxScheduler>
#Spreadsheet
You can switch the Spreadsheet control to read-only mode in one of the following ways:
To enable the Reading View mode, set the Mode property to
Reading
. In Reading View mode, edit operations are disabled and the Spreadsheet replaces its built-in ribbon with a compact toolbar. To prevent users from switching toEditing
mode, set the SwitchViewModes property toDisabled
orHidden
:<dx:ASPxSpreadsheet ID="Spreadsheet" runat="server"> <SettingsView Mode="Reading" /> <Settings> <Behavior SwitchViewModes="Hidden" /> </Settings> </dx:ASPxSpreadsheet>
Set the ReadOnly property to
true
:<dx:ASPxSpreadsheet ID="Spreadsheet" runat="server" ReadOnly="True" />
#Disable File Management Operations
This section describes how you can disable file management-related operations in DevExpress Web Forms UI controls.
#File Manager
By default, the DevExpress File Manager control only allows users to upload files (while other file management operations are disabled). To enable/disable a specific operation, specify one or more of the following:
- SettingsEditing.AllowCopy
- SettingsEditing.AllowCreate
- SettingsEditing.AllowDelete
- SettingsEditing.AllowDownload
- SettingsEditing.AllowMove
- SettingsEditing.AllowRename
- SettingsUpload.Enabled
Always specify access rules and security permissions to restrict operations for individual files or folders. The following example allows users to download files from all folders except the System folder:
<dx:ASPxFileManager ID="fileManager" runat="server">
<Settings RootFolder="~/Content/FileManager/Files" ThumbnailFolder="~/Content/FileManager/Thumbnails"
InitialFolder="Images\Employees" />
<SettingsEditing AllowDownload="True" />
<SettingsPermissions>
<AccessRules>
<dx:FileManagerFolderAccessRule Path="System" Edit="Deny" />
<dx:FileManagerFileAccessRule PathPattern="System\*" Download="Deny" />
</AccessRules>
</SettingsPermissions>
<SettingsUpload Enabled="False"/>
</dx:ASPxFileManager>
#Rich Text Editor
Our Web Forms Rich Text Editor control allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden
:
The following code sample disables file management operations within our Web Forms Rich Text Editor:
<dx:ASPxRichEdit ID="ASPxRichEdit1" runat="server" WorkDirectory="~\App_Data\WorkDirectory">
<Settings>
<Behavior CreateNew="Hidden" Download="Hidden" Open="Hidden" Printing="Hidden"
Save="Hidden" SaveAs="Hidden" />
</Settings>
</dx:ASPxRichEdit>
#Spreadsheet
The DevExpress Web Forms Spreadsheet control allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden
:
The following code sample disables file management operations within our Web Forms Spreadsheet control:
<dx:ASPxSpreadsheet ID="Spreadsheet" runat="server" WorkDirectory="~\App_Data\WorkDirectory">
<Settings>
<Behavior CreateNew="Hidden" Open="Hidden" Print="Hidden" Save="Hidden" SaveAs="Hidden" />
</Settings>
</dx:ASPxSpreadsheet>
#Prevent Modification of Hidden and Read-Only Column Values
Card View, Grid View, Pivot Grid, TreeList, and Vertical Grid controls allow you to hide specific columns from individual users or switch these columns to read-only mode. If a threat actor modifies column values on the client, the control does not load new column values to the server and resets initial values on a callback. The following settings control this behavior:
PreventLoadClientValuesForInvisibleColumns
PreventLoadClientValuesForReadOnlyColumns
For security-related reasons, you should not set these properties to False
.
<dx:ASPxTreeList ID="treeList" runat="server"
DataSourceID="DepartmentsDataSource" KeyFieldName="ID" ParentFieldName="ParentID">
<Columns>
<dx:TreeListDataColumn FieldName="DepartmentName" Caption="Department" />
<dx:TreeListDataColumn FieldName="Budget" DisplayFormat="{0:C}" />
<dx:TreeListDataColumn FieldName="Location" />
<dx:TreeListDataColumn FieldName="Phone1" Caption="Phone" />
</Columns>
<SettingsDataSecurity PreventLoadClientValuesForReadOnlyColumns="True"
PreventLoadClientValuesForInvisibleColumns="True" />
</dx:ASPxTreeList>