Users can see detail records of other users

While User ID security is on, a user (who has no master records yet) can see the detail records of all other users.

Steps to reproduce:

1. Create a project with a users table, a master table, and a details table
2. Activate the USER ID security, assigning the “User ID Field” for the users and master table.
3. Login as user X, create a master record and a detail record. Logout.
4. Login as user Y. Don’t create a master record; go directly to the details page. You’ll see the details record of User X (and all other users).

I checked the SQL sent to the server and fount it as:

1. SELECT * FROM users WHERE (user_id = 1)
2. SELECT master_id FROM master WHERE user_id IN (1) //0 records returned
3. SELECT COUNT(*) FROM details //The problem starts here. Since 0 records returned in line 2, “WHERE master_id IN (#)” is not included in this query
4. SELECT master_id FROM master WHERE user_id IN (1)
5. SELECT * FROM details //Again since 0 records returned in line 2, “WHERE master_id IN (#)” is not included in this query

The queries have no problem when “Use subquery for user ID Security checking in detail tables” is turned on, which by default is off.

Tested with the demo project and logged in as an non-admin user (e.g. nancy) and go to the Order Details page directly. The records are protected by the User ID. If debug is enabled, get the following SQL:

SELECT , UnitPriceQuantity*(1-Discount) AS [SubTotal] FROM [dbo].[Order Details] WHERE [OrderID] IN (10258,10270,10275,10285,10292,10293,10304,10306,10311,10314,10316,10325,10340,10351,10357,10361,10364,10371,10374,10376,10377,10385,10387,10393,10394,10396,10400,10401,10405,10453,10461,10465,10469,10473,10482,10486,10508,10524,10525,10537,10542,10546,10558,10562,10567,10579,10587,10591,10598,10604,10605,10612,10616,10618,10626,10630,10653,10655,10664,10665,10668,10671,10677,10680,10689,10690,10709,10710,10713,10717,10718,10733,10743,10746,10773,10776,10785,10788,10789,10792,10800,10813,10821,10825,10827,10834,10835,10842,10850,10859,10877,10886,10888,10894,10900,10902,10909,10910,10916,10921,10928,10946,10950,10952,10968,10969,10975,10976,10981,10984,10991,10992,10995,11012,11023,11027,11038,11039,11064,11067,11069,11071,11077,11250,18267,18268,18270,18271) ORDER BY @@version OFFSET 0 ROWS FETCH NEXT 5 ROWS ONLY

As I stated in my first post “a user (who has no master records yet) can see the detail records of all other users”. When you delete the Orders of Nancy, she’ll be able to see all the OrderDetails records of the database.

Login as user Y. Don’t create a master record; go directly to the details page. You’ll see the details record of User X (and all other users).

Since the detail records are not User ID protected, if you go to the detail list page directly, no User ID protection is applied. You can add checking to redirect the user if the current master table is empty.

This is a serious security issue that should be dealt with by ASPNETMaker. The known procedure for securing records in ASPNETMaker is to put the user ID only in the master table, and this presumably would secure the detail records too. I know that a developer should be able to add the security measure himself, as you said to check first if the user has any master records or not, but this does not mean that the current behavior is normal. It’s a crucial security issue because 1. It’s assumed that putting the user ID in master would secure the details (no exceptions are given in the documentaion) 2. It’s not documented that if the user had no master records he’d see all the detail records of the database.

Please update to the latest template (Tools → Update Template) and try again.

Thanks. I just updated it again a bit ago and the problem is solved. Good job.