APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Restricted item being changed from browser.

LukeTDec 1 2015 — edited Dec 8 2015

One of our end users was able to view pages they were not authorized to. We later discovered a logic error in one of our authorization schemes and have since corrected the issue.

The problem arose by an application item being set to NULL. Although we had this item set to "Restricted - May not be set from browser" you are still able to nullify it via the URL by passing APP in the clear cache position. (ex. &SESSION_ID.::NO:APP:: )

It did though throw an error if I tried to nullify it via the name/value parameters (ex. &SESSION_ID.::NO::ITEM_NAME: )

Is this expected behaviour? - I was expecting that any protected items would never be touched even with clear cache.

Luke

using version 5.0.2.00.07

This post has been answered by Mike Kutz on Dec 2 2015

Jump to Answer

Locked Post

New comments cannot be posted to this locked post.

Locked on Jan 5 2016

Added on Dec 1 2015

#apex-discussions

5 comments

558 views