1. We suggest you do NOT update to Joomla 3.8.10 until we can resolve an issue it causes with caching in Fabrik. If you do install it, you'll need to disable Joomla's "System Cache" in the global System settings.
  2. Apologies for the recent server outage, a planned migration by our host provider to a new location turned into a bit of a nightmare.

Security level - some considerations

Discussion in 'Professional Support' started by lcollong, Nov 25, 2016.

  1. lcollong

    lcollong FabriKant d'applications web

    Level: Professional
    Hi,

    I've recently realized how easy it could be for someone to list some hidden tables.

    In several apps, I use a lot of Fabrik's list together with a private area on the front (intranet, extranet). Most of the list are displayed through J! menus. These menus are reserved to some J! users access levels. Thus, public visitors can't have access to these lists. I use to carefully tuned them regarding ACL permissions. Except if there are good reasons for that (public access data), almost none of these rights are under the registred level.

    Even on a SEF enable site, it's easy for someone (or a bot) knowing a little bit of Joomla and Fabrik, to test url like www.mysite.com/index.php?option=com_fabrik&view=list&listid=X
    For most of them the answer will be a 500 error with an "incorrect list id" message (which is a proof of the Fabrik engine presence if you have no htacess redirection on this error number). For all the list used on the private part, the answer will be something like "you do not have right to access this ressource". Which is also a kind of encouragement to test further.

    I also use some "service tables" to store parameters, internal rights, logs, n-m relationships table and so on. Most of them are not used in menus. There are used in DBjoin element, CDD, Php plugin etc... They are "hidden", so I've missed to change the ACL since I never "call" them directly on the front part of the app. These tables show up nicely with all their data after some tries on the listid number ! Including the #__users one I use frequently to check the app's right against the logged user.

    Of course, this is not a Fabrik problem. I should have check ACL on all the list. It's a "programmer failure".

    However, I think it could help to have the default ACL level on list creation set to "registred" rather than "public". Or at least that a parameter should give us the opportunity to set this default value for all further list creation. Or, ideally, to have a kind of batch process allowing us to set ACL on all the list.

    Another solution I'll probably use meanwhile is to modify the default list template so that it throw a kind of "error 404 message" instead of displaying the table's data. But I guess I need to do it also for the detail and form template.

    Just some thoughts......
     
  2. lcollong

    lcollong FabriKant d'applications web

    Level: Professional
    Some SQL I've used to figure how many list where involved and modify ACL for those left in the "default" mode.
    If it may help. Use with caution. It may break your setup. Always backup before modify anything directly in the Fabrik's tables.
     

    Attached Files:

  3. troester

    troester Well-Known Member Staff Member

    Level: Standard
    +1
    Yes, it would be nice to have configurable list default settings.
    I just tried with the content_type feature but this doesn't take over the list settings, only elements and groups.

    So it could be in Fabrik Options and/or in content_types.
     
    Amuleta likes this.
  4. lcollong

    lcollong FabriKant d'applications web

    Level: Professional
    Don't know what is "content_type feature" ? What are you talking about ?

    Meanwhile I wrote a "quick'n dirty little script" to check a given url again possible "open" lists.
    I put it here in case some one would like to play with it and/or improve it. There is a lot to do ! :)

    May be such a tool could be included in Fabrik core ? I would imagine some "magic url" like :
    ...index.php?option=com_fabrik&checkacl
    which would go through all the lists verifying acl vs current registered user (or not). Debug switch dependent of course.
     

    Attached Files:

  5. troester

    troester Well-Known Member Staff Member

    Level: Standard
    Content types: I thought there was something in the WIKI but I can't find it.
    Rob added it about a year ago.
    There's a new column "Content Type" in the form listing. You can "Export" your form and then use this exported content type during the list creation process (your new list will have the same groups and elements).
    The created file (administrator\components\com_fabrik\models\content_types\your-form.xml) can be copied to other Fabrik installations, so it's some sort of "Package" feature.
     
  6. lcollong

    lcollong FabriKant d'applications web

    Level: Professional
    Yes of course I know it. Indeed, could be a nice way to set some kind of default setup for further list creation.
    I usually don't use it as I prefer set table dependent name for the columns (cust_id, cust_name, cust_address, etc...). I know Fabrik does it already with the "full name" but it makes things easier on big app with a lot of elements and external scripts doing extensive additional SQL.
     
  7. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Professional
    In principle, I don't have a problem with changing the defaults for list ACL's to be Registered. And even set Delete to be Special.

    @troester - can you think of any potential gotchas with doing that? It wouldn't affect existing lists, just new ones.

    -- hugh
     
  8. Amuleta

    Amuleta Member

    Level: Community
    It would be really cool to have default access configurations, for lists and elements, in the Fabrik Global Configuration. Is that a big ask?
     
  9. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Professional
    Hmmm. Not technically difficult, but potentially time consuming. Anything to do with adding global config settings, and inheriting those elsewhere, tends to involve a lot of tedious coding.

    If I can't think of any gotchas with changing the defaults on list ACLs, I'll have a look at doing it when I do that, at least for lists to start with.

    -- hugh
     
    lcollong likes this.
  10. Amuleta

    Amuleta Member

    Level: Community
    A lot of tedious coding for you, but potentially hours less tedious configuring for me :D
     
  11. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Professional
    It's always a trade off. :)

    -- hugh
     
    Amuleta likes this.

Share This Page