SQL queries in JS

[Aditya Mukhopadhyay]

Hi,

While going through the application files, I noticed that there are SQL queries being constructed in JS files (for example in account.js for the account doctype).

This design looks like it could have some security vulnerabilities, for example a user could alter the query on the client side to gain access to data that he is not authorized for.

It would be great if someone could shed some light on whether some counter-measures are being applied on the server side to prevent unauthorized access and any other form of SQL-based attack.

Thanks,

Aditya

[Rushabh Mehta]

Aditya,

Most (not all) of these queries are parsed / verified on the server side and appropriate permission rules are applied.

You are right this is a potential issue, whereby an authenticated user could get access to data that the user is not permitted to access. We plan to move these to the server side eventually.

Thanks for reminding this again. We were keeping this as a "good to have", but I think the priority for this should be much higher.

best,

Rushabh

--
You received this message because you are subscribed to the Google Groups "ERPNext Developer Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-developer...@googlegroups.com.
To post to this group, send email to erpnext-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/erpnext-developer-forum/-/oyusa-rEo4YJ.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

https://erpnext.com

Twitter: @rushabh_mehta