Skip to main content
All docs
V24.2

Prevent Unauthorized Operations

  • 4 minutes to read

Follow strategies outlined in this help topic to prevent unauthorized server-side operations (and address CWE-284 and CWE-285 security risks).

#Restrict Edit Operations

DevExpress ASP.NET Web Forms controls allow data editing by default. Even if editing-related UI elements are hidden, threat actors can execute client-side methods or use keyboard shortcuts to alter data. This section describes how to restrict edit operations within DevExpress Web Forms UI controls.

#Data Editors

Enable the ReadOnly property to switch a data editor to read-only mode. If a threat actor modifies a read-only editor value on the client, the editor does not load the new value to the server and resets the initial value on postback:

<dx:ASPxTextBox ID="ASPxTextBox1" runat="server" Text="123456" ReadOnly="True" />

#Diagram

Enable the ReadOnly property to activate read-only mode in the Diagram control:

<dx:ASPxDiagram ID="Diagram" runat="server" ReadOnly="true" />

The Diagram control allows you to prohibit individual edit operations. Refer to the following topic for additional information: Restrict Edit Operations.

#Grid-Like Controls

Use AllowDelete, AllowEdit, and AllowInsert properties to disable CRUD operations in the Card View, Grid View, Pivot Grid, TreeList, and Vertical Grid controls. The following code snippet disables delete, edit, and insert operations in the Grid View:

<dx:ASPxGridView ID="grid" runat="server" DataSourceID="DemoDataSource1" KeyFieldName="CustomerID">
    <Columns>
        <dx:GridViewDataColumn FieldName="ContactName" />
        <dx:GridViewDataColumn FieldName="CompanyName" />
        <dx:GridViewDataColumn FieldName="City" />
        <dx:GridViewDataColumn FieldName="Region" />
        <dx:GridViewDataColumn FieldName="Country" />
    </Columns>
    <SettingsDataSecurity AllowDelete="False" AllowEdit="False" AllowInsert="False" />
</dx:ASPxGridView>

#Gantt

Set the SettingsEditing.Enabled property to false to disable all edit operations in the Gantt control:

<dx:ASPxGantt ID="Gantt" runat="server">
    <SettingsEditing Enabled="False" />
</dx:ASPxGantt>

Disable Allow<Element>Insert, Allow<Element>Update, and Allow<Element>Delete settings to restrict individual edit operations:

<dx:ASPxGantt ID="Gantt" runat="server">
    <SettingsEditing AllowTaskInsert="False"
                     AllowDependencyInsert="False"
                     AllowResourceAssignmentInsert="False" />
</dx:ASPxGantt>

#Rich Text Editor

Enable the ReadOnly property to activate read-only mode in the Rich Text Editor:

<dx:ASPxRichEdit ID="DemoRichEdit" runat="server" ReadOnly="true" />

#Scheduler

To disable CRUD operations in the Scheduler control, set AllowAppointmentCreate, AllowAppointmentDelete, and AllowAppointmentEdit to None:

<dx:ASPxScheduler ID="ASPxScheduler1" runat="server" AppointmentDataSourceID="AppointmentDataSource"
                  ResourceDataSourceID="efResourceDataSource">
    <OptionsCustomization AllowAppointmentCreate="None"
                          AllowAppointmentDelete="None"
                          AllowAppointmentEdit="None" />
</dx:ASPxScheduler>

#Spreadsheet

You can switch the Spreadsheet control to read-only mode in one of the following ways:

  • To enable the Reading View mode, set the Mode property to Reading. In Reading View mode, edit operations are disabled and the Spreadsheet replaces its built-in ribbon with a compact toolbar. To prevent users from switching to Editing mode, set the SwitchViewModes property to Disabled or Hidden:

    <dx:ASPxSpreadsheet ID="Spreadsheet" runat="server">
        <SettingsView Mode="Reading" />
        <Settings>
            <Behavior SwitchViewModes="Hidden" />
        </Settings>
    </dx:ASPxSpreadsheet>
    
  • Set the ReadOnly property to true:

    <dx:ASPxSpreadsheet ID="Spreadsheet" runat="server" ReadOnly="True" />
    

#Disable File Management Operations

This section describes how you can disable file management-related operations in DevExpress Web Forms UI controls.

#File Manager

By default, the DevExpress File Manager control only allows users to upload files (while other file management operations are disabled). To enable/disable a specific operation, specify one or more of the following:

Always specify access rules and security permissions to restrict operations for individual files or folders. The following example allows users to download files from all folders except the System folder:

<dx:ASPxFileManager ID="fileManager" runat="server">
    <Settings RootFolder="~/Content/FileManager/Files" ThumbnailFolder="~/Content/FileManager/Thumbnails"
        InitialFolder="Images\Employees" />
    <SettingsEditing AllowDownload="True" />
    <SettingsPermissions>
        <AccessRules>
            <dx:FileManagerFolderAccessRule Path="System" Edit="Deny" />
            <dx:FileManagerFileAccessRule PathPattern="System\*" Download="Deny" />
        </AccessRules>
    </SettingsPermissions>
    <SettingsUpload Enabled="False"/>
</dx:ASPxFileManager>

#Rich Text Editor

Our Web Forms Rich Text Editor control allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:

The following code sample disables file management operations within our Web Forms Rich Text Editor:

<dx:ASPxRichEdit ID="ASPxRichEdit1" runat="server" WorkDirectory="~\App_Data\WorkDirectory">
    <Settings>
        <Behavior CreateNew="Hidden" Download="Hidden" Open="Hidden" Printing="Hidden" 
                  Save="Hidden" SaveAs="Hidden" />
    </Settings>
</dx:ASPxRichEdit>

#Spreadsheet

The DevExpress Web Forms Spreadsheet control allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:

The following code sample disables file management operations within our Web Forms Spreadsheet control:

<dx:ASPxSpreadsheet ID="Spreadsheet" runat="server" WorkDirectory="~\App_Data\WorkDirectory">
    <Settings>
        <Behavior CreateNew="Hidden" Open="Hidden" Print="Hidden" Save="Hidden" SaveAs="Hidden" />
    </Settings>
</dx:ASPxSpreadsheet>

#Prevent Modification of Hidden and Read-Only Column Values

Card View, Grid View, Pivot Grid, TreeList, and Vertical Grid controls allow you to hide specific columns from individual users or switch these columns to read-only mode. If a threat actor modifies column values on the client, the control does not load new column values to the server and resets initial values on a callback. The following settings control this behavior:

  • PreventLoadClientValuesForInvisibleColumns
  • PreventLoadClientValuesForReadOnlyColumns

For security-related reasons, you should not set these properties to False.

<dx:ASPxTreeList ID="treeList" runat="server" 
                 DataSourceID="DepartmentsDataSource" KeyFieldName="ID" ParentFieldName="ParentID">
    <Columns>
        <dx:TreeListDataColumn FieldName="DepartmentName" Caption="Department" />
        <dx:TreeListDataColumn FieldName="Budget" DisplayFormat="{0:C}" />
        <dx:TreeListDataColumn FieldName="Location" />
        <dx:TreeListDataColumn FieldName="Phone1" Caption="Phone" />
    </Columns>
    <SettingsDataSecurity PreventLoadClientValuesForReadOnlyColumns="True" 
                          PreventLoadClientValuesForInvisibleColumns="True" />
</dx:ASPxTreeList>