Authorization Logic — Query Builder
- 3 minutes to read
The DevExpress ASP.NET WebForms Query Builder allows users to browse available data connections and tables. The Query Builder is integrated into both the DevExpress Report Designer and Dashboard Designer and can be used as a standalone control. To address CWE-285-related security risks, restrict access to data displayed within the Query Builder as follows:
Implement a custom connection string provider to restrict access to connection strings:
public class DataSourceWizardConnectionStringsProvider : IDataSourceWizardConnectionStringsProvider { public Dictionary<string, string> GetConnectionDescriptions() { Dictionary<string, string> connections = new Dictionary<string, string> { { "nwindConnection", "NWind database" } }; // Implement access restriction logic, for instance // if(GetIdentityName() == "Admin") // connections.Add("secretConnection", "Admin only database"); return connections; } public DataConnectionParametersBase GetDataConnectionParameters(string name) { return AppConfigHelper.LoadConnectionParameters(name); } }
Implement a custom database schema provider to restrict access to data tables, views, and stored procedures:
// Uncomment the following class for the Query Builder integrated into Dashboard Designer // public class DataSourceWizardDBSchemaProviderExFactory : DevExpress.DataAccess.Web.IDataSourceWizardDBSchemaProviderExFactory { // public IDBSchemaProviderEx Create() { // return new DBSchemaProviderEx(); // } //} public class DBSchemaProviderEx : IDBSchemaProviderEx { public DBTable[] GetTables(SqlDataConnection connection, params string[] tableList) { // Check permissions here var dbTables = connection.GetDBSchema().Tables; return dbTables.Where(t => t.Name == "Categories" || t.Name == "Products").ToArray(); } public DBTable[] GetViews(SqlDataConnection connection, params string[] viewList) { return Array.Empty<DBTable>(); } public DBStoredProcedure[] GetProcedures(SqlDataConnection connection, params string[] procedureList) { return Array.Empty<DBStoredProcedure>(); } public void LoadColumns(SqlDataConnection connection, params DBTable[] tables) { } }
Register your custom providers for the DevExpress Dashboard Designer, Report Designer, or standalone Query Builder in the Global.asax.cs or Global.asax.vb file:
Dashboard Designer
DashboardConfigurator.Default.SetConnectionStringsProvider(new DataSourceWizardConnectionStringsProvider()); DashboardConfigurator.Default.SetDBSchemaProvider(new DBSchemaProviderEx());
Report Designer
DefaultReportDesignerContainer.RegisterDataSourceWizardConnectionStringsProvider<DataSourceWizardConnectionStringsProvider>(); DefaultReportDesignerContainer.RegisterDataSourceWizardDBSchemaProviderExFactory<DataSourceWizardDBSchemaProviderExFactory>();
Standalone Query Builder