Breeze: how to make the original values map more secure -


i use originalvaluesmap custom auditing on save. in breeze docs, mention may need add additional security (it's coming client, don't trust it).

my goal find way validate original values map not tampered with, audit entries accurate. (an example of exploit want defeat of altering value in original values map make if had not changed value).

i thinking doing this:

  1. when data queried server, apply hash values of entity
  2. include hash in serialization graph of entity (so hash opaque value sent client, salt hash secret known server).
  3. when client calls save changes, echo hash server
  4. inside of beforesaveentities, reconstruct original entity using values originalvaluesmap.
  5. a hash of "de-deltaed" entity should match original.

my problem is, don't know how insert hash breeze's serialization graph , extract out.

it looks there several promising extension points (custom serializer on client, custom content provider).

how 1 this? there better way? nuts?

you nuts.

but seriously, straightforward way re-query existing data database see originalvaluesmap matches in db. if don't, either originalvaluesmap has been tampered with, or db record has been updated (by else) since queried. save should aborted in either case.

while @ it, you'll want enforce other rules on server:

  • some entities illegal save (e.g. users not allowed add new countries lookup table)
  • some entities can saved users in role (e.g. administrators)
  • some entities can saved users 'own' them (e.g. user can update order belongs them)
  • the values sanity-checked (e.g. prices positive, quantities reasonable)
  • the operation sanity-checked (e.g no user can create more 1000 orders in 1 hour)
  • other business rules applied (e.g. credit limits, time-of-day restrictions, etc.)

obviously of these won't apply app, may find there rules require querying database anyway. that's how should verify originalvaluesmap.

if intent on using "hash" technique, easiest way data , forth client add property in domain model base class isn't mapped database. you'll populate property on server before serialization.


Comments

Popular posts from this blog

python - Subclassed QStyledItemDelegate ignores Stylesheet -

java - HttpClient 3.1 Connection pooling vs HttpClient 4.3.2 -

node.js - StackOverflow API not returning JSON -