Appian Community
Site
Search
Sign In/Register
Site
Search
User
DISCUSS
LEARN
SUCCESS
SUPPORT
Documentation
AppMarket
More
Cancel
I'm looking for ...
State
Not Answered
Replies
4 replies
Subscribers
7 subscribers
Views
2027 views
Users
0 members are here
Share
More
Cancel
Related Discussions
Home
»
Discussions
»
General
I want to create an Appian Servlet plugin, so in SAIL form I can create a link t
guozhangy
over 9 years ago
I want to create an Appian Servlet plugin, so in SAIL form I can create a link to invoke that servlet by using
a!linkField(
label: "Links",
links: a!safeLink(
uri: "/suite/plugins/servlet/excelReport?reportId=123&startIndex=1&batchSize=100",
label: "download"
)
),
The problem is each user only has access to some of the reports, and the user can beat this limitation by just changing the report id in the URL.
So my questions are:
1). Can we pass in the process variable (which is report id) into the servlet without passing it in as the request parameter? Or is there a way to pass in the info as the POST instead of GET?
2). If this is not feasible, is there a way to get the current user of the SAIL form from servlet so I can make sure the user can only access the report that the user is allowed.
3). Can the servlet access the appian objects that I have created, such as the Rule Constants?
...
OriginalPostID-140186
OriginalPostID-140186
Discussion posts and replies are publicly visible
0
guozhangy
over 9 years ago
...
4). What is the best way for the servlet to access the data source (such as jdbc/myDS)?
Thanks.
Cancel
Vote Up
0
Vote Down
Sign in to reply
Verify Answer
Cancel
0
abhi.jana
Appian Employee
over 9 years ago
You should be able to specify the URI string as a constant and pass the constant as the URI parameter in a!safeLink() -
a!linkField(
label: "testlink",
links: a!safeLink(
label: "testsafe",
uri: cons!TEST_SAFEURI
)
Cancel
Vote Up
0
Vote Down
Sign in to reply
Verify Answer
Cancel
0
guozhangy
over 9 years ago
Thanks. But that is still in the SAIL. Is there a way for the servlet to get process variable? Also is there a way to get the user that calls the servlet? Maybe request.getRemoteUser()?
Cancel
Vote Up
0
Vote Down
Sign in to reply
Verify Answer
Cancel
0
ENOSH EZEKIEL
A Score Level 1
over 8 years ago
We also have a similar vulnerability raised in our project for the same mechanism mentioned above. If a user tries to copy and paste the servlet URL like ,
<domain>/plugins/servlet/doId=12343112332123, he can download the doc. If User A tries to edit doc Id with another id, the doc gets downloaded for which the user doesnt have access to!
How can we control this based on the security??
Cancel
Vote Up
0
Vote Down
Sign in to reply
Verify Answer
Cancel