Skip to main content
BuyLog In
ASP.NET MVC Extensions
Search in…
Docs > Security Considerations > Prevent Unauthorized Operations
All docs
V25.1
    • ASP.NET MVC Extensions
    .NET Support and Migration
    Prerequisites
    Supported Browsers
    What's Installed
    Get Started
    Upgrade to a New Version
    Common Concepts
    Components
    Security Considerations
    Authorization Logic
    HTML Encoding
    Content Security Policy
    Callback State Encryption
    Validate User Input
    Secure File Upload
    Prevent Unauthorized Operations
    Prevent CSRF Attacks
    Prevent Against CSV Injection Attacks
    Prevent Exposure of Sensitive Information
    Redistribution and Deployment
    Troubleshooting
    Get More Help
    .NET Framework API Reference
    Client API Reference
    Download CHM

    Prevent Unauthorized Operations

    • 4 minutes to read

    Follow strategies outlined in this help topic to prevent unauthorized server-side operations (and address CWE-284 and CWE-285 security risks).

    Restrict Edit Operations

    DevExpress ASP.NET MVC extensions allow data editing by default. To use these extensions in read-only mode, ensure that mapped controllers do not implement actions that modify extension data. Otherwise, a threat actor can send a POST request that calls such a controller action.

    To conditionally enable/disable read-only mode (for instance, to only enable delete operations for an admin account), check the condition within the corresponding controller action:

    public partial class GridViewController : Controller {
    [ValidateInput(false)]
    public ActionResult GridViewPartial() {
        return PartialView("GridViewPartial", NorthwindDataProvider.GetProducts());
    }
    [HttpPost, ValidateInput(false)]
    public ActionResult GridViewAddNewPartial(Product product) {
        // Validate user access permissions here
        if (ModelState.IsValid)
            SafeExecute(() => NorthwindDataProvider.InsertProduct(product));
        else
            ViewData["EditError"] = "Please, correct all errors.";
        return GridViewPartial();
    }
    [HttpPost, ValidateInput(false)]
    public ActionResult GridViewUpdatePartial(Product product) {
        // Validate user access permissions here
        if (ModelState.IsValid)
            SafeExecute(() => NorthwindDataProvider.UpdateProduct(product));
        else
            ViewData["EditError"] = "Please, correct all errors.";
        return GridViewPartial();
    }
    [HttpPost, ValidateInput(false)]
    public ActionResult GridViewDeletePartial(int productID = -1) {
        // Validate user access permissions here
        if (productID >= 0)
            SafeExecute(() => NorthwindDataProvider.DeleteProduct(productID));
        return GridViewPartial();
    }
}

    Disable File Management Operations

    This section describes how you can disable file management-related operations when using DevExpress MVC Extensions.

    File Manager

    By default, the DevExpress File Manager extension only allows users to upload files (while other file management operations are disabled). To enable/disable a specific operation, specify one or more of the following:

    Always specify access rules and security permissions to restrict operations for individual files or folders. The following example allows users to download files from all folders except the System folder:

    @model string

@using (Html.BeginForm()) {
    @Html.Partial("FileManagerPartial", Model)
}

    Rich Text Editor

    Our MVC Rich Text Editor extension allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:

    The following code sample disables file management operations within our MVC Rich Text Editor:

    @Html.DevExpress().RichEdit(settings => {
    settings.Name = "RichEdit";
    settings.CallbackRouteValues = new { Controller = "Home", Action = "RichEditPartial" };
    settings.Settings.Behavior.CreateNew = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Download = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Open = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Printing = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.Save = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
    settings.Settings.Behavior.SaveAs = DevExpress.XtraRichEdit.DocumentCapability.Hidden;
}).Open(Server.MapPath("~/App_Data/Documents/Overview.rtf")).GetHtml()

    Spreadsheet

    The DevExpress MVC Spreadsheet extension allows users to create, open, save, print, and download documents using built-in UI elements or keyboard shortcuts. To disable file management operations and hide corresponding UI elements, set the following to Hidden:

    The following code sample disables file management operations within our MVC Spreadsheet extension:

    @Html.DevExpress().Spreadsheet(settings => {
    settings.Name = "Spreadsheet";
    settings.CallbackRouteValues = new { Controller = "Home", Action = "SpreadsheetPartial" };
    settings.Settings.Behavior.CreateNew = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.Open = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.Print = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.Save = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
    settings.Settings.Behavior.SaveAs = DevExpress.XtraSpreadsheet.DocumentCapability.Hidden;
}).Open(Server.MapPath("~/App_Data/Documents/MonthlyBudget.xlsx")).GetHtml()