Please Share your Product Ideas with us!

All ideas are welcome. Just because the Idea doesn't make it into the product immediately does not make it a bad idea.

Construct Pages should not auto add to all groups


When using Full Construction sources in Design, the page that auto generates is added to all WebApp groups with full edit/delete access. 1. That breaks the security model and 2. That is not made clear to the user. The group add should be controlled by the CranSoft.dbo.BaseGroup table like it is on the manual page add. At GenRe we are starting a security audit and came across these pages. I've confirmed this code is still executed as of 6.5.2.


webTargetSource_CreatePageIns is the SP that executes from Console and apiCranSoftWebAppGroupPage_AllGroups_Ins is the underlying SP in Common that adds the groups.


Here is the change I am making to the Common SP to add a join to BaseGroup:


   [CranSoft].dbo.[WebAppGroup] INNER JOIN [CranSoft].dbo.[BaseGroup] ON

   [CranSoft].dbo.[WebAppGroup].[GroupName] = [CranSoft].dbo.[BaseGroup].[GroupName]

  • Alyssa Sliney
  • Feb 1 2017
  • Future consideration
  • Attach files
  • +2