Skip to main content
BuyLog In
ASP.NET MVC Extensions
Search in…
Docs > Security Considerations > Prevent Unauthorized Operations
All docs
V24.2
ASP.NET MVC Extensions
.NET Support and Migration
Prerequisites
Supported Browsers
What's Installed
Get Started
Upgrade to a New Version
Common Concepts
Components
Security Considerations
Authorization Logic
HTML Encoding
Callback State Encryption
Validate User Input
Secure File Upload
Prevent Unauthorized Operations
Prevent CSRF Attacks
Prevent Against CSV Injection Attacks
Prevent Exposure of Sensitive Information
Redistribution and Deployment
Troubleshooting
Get More Help
.NET Framework API Reference
Client API Reference
Download CHM

Prevent Unauthorized Operations

  • 4 minutes to read
In This Article
Restrict Edit Operations
Disable File Management Operations
File Manager
Rich Text Editor
Spreadsheet

Follow strategies outlined in this help topic to prevent unauthorized server-side operations (and address CWE-284 and CWE-285 security risks).

#Restrict Edit Operations

DevExpress ASP.NET MVC extensions allow data editing by default. To use these extensions in read-only mode, ensure that mapped controllers do not implement actions that modify extension data. Otherwise, a threat actor can send a POST request that calls such a controller action.

To conditionally enable/disable read-only mode (for instance, to only enable delete operations for an admin account), check the condition within the corresponding controller action:

cs
public partial class GridViewController : Controller {
    [ValidateInput(false)]
    public ActionResult GridViewPartial() {
        return PartialView("GridViewPartial", NorthwindDataProvider.GetProducts());
    }
    [HttpPost, ValidateInput(false)]
    public ActionResult GridViewAddNewPartial(Product product) {
        // Validate user access permissions here
        if (ModelState.IsValid)
            SafeExecute(() => NorthwindDataProvider.InsertProduct(product));
        else
            ViewData["EditError"] = "Please, correct all errors.";
        return GridViewPartial();
    }
    [HttpPost, ValidateInput(false)]
    public ActionResult GridViewUpdatePartial(Product product) {
        // Validate user access permissions here
        if (ModelState.IsValid)
            SafeExecute(() => NorthwindDataProvider.UpdateProduct(product));
        else
            ViewData["EditError"] = "Please, correct all errors.";
        return GridViewPartial();
    }
    [HttpPost, ValidateInput(false)]
    public ActionResult GridViewDeletePartial(int productID = -1) {
        // Validate user access permissions here
        if (productID >= 0)
            SafeExecute(() => NorthwindDataProvider.DeleteProduct(productID));
        return GridViewPartial();
    }
}

#Disable File Management Operations

This section describes how you can disable file management-related operations when using DevExpress MVC Extensions.

#File Manager

By default, the DevExpress File Manager extension only allows users to upload files (while other file management operations are disabled). To enable/disable a specific operation, specify one or more of the following:

Always specify access rules and security permissions to restrict operations for individual files or folders. The following example allows users to download files from all folders except the System folder:

@model string

@using (Html.BeginForm()) {
    @Html.Partial("FileManagerPartial", Model)
}

#Rich Text Editor

Our MVC Rich Text Editor extension allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:

The following code sample disables file management operations within our MVC Rich Text Editor:

razor
@Html.DevExpress().RichEdit(settings => {
    settings.Name = "RichEdit";
    settings.CallbackRouteValues = new { Controller = "Home", Action = "RichEditPartial" };
    settings.Settings.Behavior.CreateNew = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Download = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Open = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Printing = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Save = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.SaveAs = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
}).Open(Server.MapPath("~/App_Data/Documents/Overview.rtf")).GetHtml()

#Spreadsheet

The DevExpress MVC Spreadsheet extension allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:

The following code sample disables file management operations within our MVC Spreadsheet extension:

razor
@Html.DevExpress().Spreadsheet(settings => {
    settings.Name = "Spreadsheet";
    settings.CallbackRouteValues = new { Controller = "Home", Action = "SpreadsheetPartial" };
    settings.Settings.Behavior.CreateNew = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.Open = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.Print = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.Save = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.SaveAs = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
}).Open(Server.MapPath("~/App_Data/Documents/MonthlyBudget.xlsx")).GetHtml()