Search these areas:
Help
Support Forums
Product Info



Introduction
DataWeb: What's New
Creating an Application
The DataWeb Designer
Application Management
Data Tables
Data Tables
Views
Templates
Components
Data Analysis
Members
Security
-Understanding DataWeb Security
-Setting Permissions
-Securing a Web or Folder
-Securing Scripts
Importing
Exporting
FTP
JavaScript
Object Model
Full-Text Search
Domain and Email Hosting
HotBlock Modules
Account Management
Glossary
New Responsive UI Module





DataWeb Help
Support Forums
Tutorial
Script Library
Knowledge Base

Home > Support

DataWeb User's Guide

Securing Scripts
DataWeb Script provides a flexible and powerful means of building web applications. With this flexibility, however, comes the risk that a malicious user could take advantage of the DataWeb Platform's scripting capabilities to access or change private data. To protect your data from this possibility, DataWeb has developed a sophisticated security model for controlling access to scripts.

Scripts can exist in a data class, in a DataWeb Script class, or in a view. The security model applies no matter where the script resides.

Permissions to Create or Edit a Script

In order to create or edit a script, a user's security group must have Design permissions on the folder that contains that script. By default, only the web owner and the Administrators group have Design permissions on the folders of your web.

Permissions to Run a Script

The DataWeb Platform checks security settings for each operation that a running script performs. Two factors determine whether these security checks will be successful for a given operation. The first is the security settings on the folder that contains the script file. The second involves the permissions that are in effect when each script operation is executed.

Folder Security Settings

Whether or not a user has permission to execute script in a given file is first determined by the security settings for the folder that contains the file. In order to execute script in a file, a user must belong to a group that has Browse Files permissions on that folder.

By default, all of the built-in groups (except for the Anonymous group) have Browse Files permissions, so if you don't alter the default security settings, all users will be able to execute script files. If you change the security settings for a folder, note that the Reader role is the minimum security role with Browse Files permissions.

The operations script can perform are also determined by the executing user's permissions in the folder containing the script. For example, a user must belong to a group with Edit Records permissions in order to execute script that edits records in a web.

Script Execution Permissions

There may be cases in which it's useful for script to run with permissions that are different from the current user's. For example, you may want to allow anonymous users to sign themselves up as members of your web. Currently the only way to do this is to write script that the user will execute in order to add themselves.

In order to permit script to perform an operation that the executing user's permissions do not allow, you can define script functions with a qualifier that specifies the executing permissions group for the function.

The following table describes each of the qualifiers available for altering the execution permissions of a function:

Function Qualifier Description
asAdmin Run the function with the permissions of the Administrators group
asStaff Run the function with the permissions of the Staff group
asMember Run the function with the permissions of the Members group
asGuest Run the function with the permissions of the Guests group
asUser Default. Run the function with the permissions of the current user's security group

Note that although these qualifiers form part of the function definition, they apply not to the function itself but to operations performed by the function. Any group with Browse Files permissions can run any function, but they may not have permissions to perform every operation that the function attempts to perform.

The following function adds a user as a member of a web. The function is defined with the asAdmin qualifier, which ensures that the function will run with the same privileges as the Administrators group. Because the Administrators group has permissions to add new members, this function will add the new member.
public asAdmin function AddMeAsMember(email_string)
{
  try
 {
 var mem = Members.getMemberFromEmail(email_string);
 if (mem == null)
   {
   Members.add(email_string, "members");
   response.write("You've been added as
   a member of "
 + request.getServerName() + "\n");
   }
 }
  catch (err)
 {
 response.write("We were unable to add you
 as a member of "
 + request.getServerName() + "\n");
 }
}
Important Limits on Script Execution Permissions

After reading the previous section, you may be wondering what prevents any user from writing a function to run with administrative privileges and performing operations that they wouldn't have permission to otherwise. Any user with Design permissions can create or edit a function like the one in the previous example, whether or not they actually have permission to add members to the web, and there's currently no way for the system to know which user created or edited a particular script.

For this reason, the DataWeb Platform places an additional restriction on executing script. Before a function is run, the system checks the permissions of all groups that have Design permissions on the web, since any user with Design permissions could have edited the function. If the function tries to perform an operation that the group with the least permissions does not have permission to do, then the operation will fail.

For example, suppose that you've granted Design permissions on your web to the Members group, by assigning them the security role of Designer. This means that users who belong to the Members group can modify script in data classes, views, and DataWeb class files. However, users in the Members group don't have permission to add or remove other members from the web. Suppose you then write a function like the previous example, to be run with asAdmin privileges. Before the Members.add() operation is executed, the DataWeb Platform checks to make sure that the script file could not have been edited by someone who does not have permissions to modify membership. In this case, the system would determine that the file might have been edited by a user in the Members group. Because the file might have been edited by someone without the proper permissions, the function will run with the permissions of the Members group, which are insufficient to add a new member.

This behavior is designed to be conservative to protect your data. However, it can get confusing. For example, suppose you, as the owner of the web, were the one who actually edited the function to add new members and to run with administrative privileges. If you've also given the Members group Design permissions on the web, your function will generate a runtime error at the point that it reaches the Members.add() call. This runtime error will happen even for you, because the system recognizes that the script file could have been edited by someone who didn't have permission to add new members (even if it was edited by someone who does have the proper permissions). No matter who you are or what your permissions are, when you're running a function, your permissions are those of the group with the lowest permissions that include the ability to edit the script file.

The default security settings for the web grant Design permissions only to the Administrators group and to the web owner. With these settings, the function in the previous example will run with administrative privileges, for you and for anyone else who has permission to run it (that is, anyone who has Browse Files permissions on the directory containing the file). The function runs without error because it could only have been edited by someone who has permissions to add members.

The Security tab for the web root or a folder indicates the highest privileges with which script in that folder can run. You'll see a list of groups on this page; with the default security settings, only the Administrators group appears on the list. If you assign Design permissions to the Members group, it will also appear on the list. The listed group with the least permissions determines the maximum privileges with which functions will run.

When the execution group - the group with whose permissions the function is running - does not have sufficient permissions to perform a particular operation, an exception is thrown. This exception can be caught and handled like any other exception.

Permissions to Import a Class

In order to import a class and call its methods from within another function, the group under which the script that's importing the class is running must have Browse Files permissions on the folder that contains the class. For example, suppose you have a function in a folder that runs with the permissions of the Members group (because the Members group has Design permissions in that folder). When that function attempts to import a class in another folder, the system checks that the Members group has Browse Files permissions in that folder. If it does, the class will be imported successfully. If it does not, then the class will not be imported, and the import() method of the Classes object will return null.

Permissions to Run Methods of a Class

Once a class has been imported, you can call methods of that class. When you call a method of a class, your code is no longer running in the function that called the method; it is now running in that class. If the class that you've imported is in a different folder than the class containing the calling function, then the permissions with which the method runs are determined by the security settings on that folder and by the qualifier on the function. If there's no qualifier specified, then the function runs with the default asUser qualifier.

Once a method inside of the imported class is running, the security settings on the class containing the calling function are no longer relevant. Only the security settings on the imported class determine whether the script can successfully perform each operation that it attempts.

A More Complex Example

Let's consider an example that is more complicated, but demonstrates a common scenario that could cause you difficulty. Suppose that you have an Admin data table, which you want to make accessible to the web owner and the Administrators group only. You might be tempted to assign the No Access role to the Staff, Members, and Guests groups on the Admin folder, to prevent anyone else from having access. Suppose you then write a function named InsertAuditRecord() to insert a record into the Admin table from the Utilities folder, where the Staff group has the Designer role and thus has Design permissions. No matter who runs the InsertAuditRecord() function, it will always fail, because the function will run with the permissions of the execution group, and those will be the permissions of the least group with Design permissions. Even when the web owner runs the script, it will run with the permissions of the Staff group, which are not sufficient to insert a record into the Admin table if the Staff group has the No Access role there.

A simple way to remedy this situation is to remove the Staff group's Design permissions, so that the function will run with administrative privileges.

A somewhat more complicated approach is to assign the Reader role on the Admin table to the Staff group. Create a class in the Admin folder, and add your function to that class, defining it with the asAdmin qualifier. Then import that class from the Utilities folder. Because the Staff group now has the Reader role on the Admin table, the script running in the Utilities folder will be able to import the class. And because the InsertAuditRecord() function is defined with the asAdmin qualifier, and only the Administrators group has Design privileges on the Admin table, the InsertAuditRecord() function is guaranteed to run with administrative privileges, and will insert the record into the table. The drawback to this approach is that the Staff group will then also have permissions to read the data in the Admin table.

Troubleshooting Security and Scripting

The DataWeb security model is powerful, but it can get complicated. To minimize hassles for yourself, consider the following pointers:

•  Modify security settings for just one directory at a time. Test your script and make sure everything works as expected. When you're confident that your settings are correct, repeat the process for another directory. It may take longer to design your web in this manner, but it can save you difficult debugging problems later.
•  Be judicious when assigning Design, Set Security, and Change Members permissions to a group. Consider whether those permissions are truly necessary for the group.
•  Keep in mind that the permissions in effect when a function is running do not necessarily correspond to the permissions that the current user normally has. The permissions in effect when a function is running are those of the group with the least permissions that include Design permissions - that is, the group with the least permissions who could have edited the script. Even the web owner or an administrator may be restricted by this limitation.
Affiliate | Partner | Terms of Use | Privacy Policy | Contact Us | Pricing | Bring DataWeb In-House    
DataWeb, 720 North 10th Street, A #145, Renton, Washington 98057 *425-583-5970* Fax 484-770-4706* Email Us