Question

Must a guest user role over right all other user roles on a entity.

1

Hi All Must a guest user role over right all other user roles on a entity. We added a guest role to a entity somehow. It over wrote all our other user roles rights to the entity. eg a user can only see PO's for their own company by the x-path on the entity. But with a guest userrole added all users could see all PO's. Are all other user roles also seen as a guest user? Is this correct or is it a mendix bug. We have fixed our system but just want to share as this one crept up form no were and made us look pretty stupid. Regards, Patrick

asked 2018-11-13

Patrick Gerardi

1 answers

Rom van Arendonk · Accepted Answer · 2018-11-14

This scenario sounds highly unlikely: it would be a huge security incident and would also be very noticeable: most applications I know of have a role for e.g. an administrator which has read access to entities unconstrained by XPath. One would expect that, if the behavior you described is a platform bug, many more application would be impacted.

The alternative scenario, where someone on your team made a modeling error would seem more likely. If you're convinced that is not the case, you should submit a bug report for this and let Mendix investigate if there is an issue in the platform.

Finally, giving anonymous users unconstrained read rights is a security risk you are introducing in your application: if someone knows the URL of your application, they can easily extract all the data. You can check this yourself, e.g. by using https://securitycheck.webflight.nl/