Courses
Sections
Projects
Wiki
News
Forums
Surveys
Mailing Lists| Author | Message |
|---|---|
|
misha.chandan
Posts: 27
|
Posted 15:53 Mar 01, 2015 |
Hello Professor,
Regards, Misha Chandan
|
|
cysun
Posts: 2935
|
Posted 17:14 Mar 01, 2015 |
The simplest way to test security is to "enter URL manually". For example, suppose the URL for an advisor to see a student's plan is viewPlan.html?studentId=1. You can log in as a student and manually enter that URL in the browser and see if you can access it as a student. Most UI designs would hide functions that users don't have access to, but hiding things is not enough to deter potential attackers. By "entering URL manually" you can bypass UI and check if the underlying function is actually secure. |
|
nirajpatel2402
Posts: 8
|
Posted 17:58 Mar 01, 2015 |
4. The user interface should hide operations from the users who do not have the privilege to perform those operations. Is it ok? |
|
cysun
Posts: 2935
|
Posted 19:40 Mar 01, 2015 |
If in your implementation a user can only have one role, then yes. |
|
misha.chandan
Posts: 27
|
Posted 20:27 Mar 01, 2015 |
If in your implementation a user can only have one role, then yes.
In my User model, one user can have multiple roles and have different UI for each Role . I think I will not need security tag library as I have specified restrictions on urls like /admin/** . Is it ok?
|
|
cysun
Posts: 2935
|
Posted 20:40 Mar 01, 2015 |
I'm thinking of a UI like CSNS where under the Home menu there are two links Instructor Home and Student Home. If a user only has the Student role, the Instructor Home link will be hidden. Depending on your UI design, you may or may not need to do something like that, but do note that this is not just about security, but also good UI design, which says don't show users things that they don't have access to. |
|
misha.chandan
Posts: 27
|
Posted 20:50 Mar 01, 2015 |
Thank you . |
