- Mon Jul 15, 2019 5:14 pm
#825424
Hello,
We are using ProcessMaker Community version 3.3. We plan to give users from different departments PM_FACTORY permission to create workflows and triggers on their own. I noticed end user can inject any PHP code into triggers. That means if someone has a good programming skill, they can exploit the system. For example, they can read/write data in the database with SQL statements. They can get file content on the server using PHP code.
1. Is there a way to limit trigger permission or user's access to trigger?
2. Does anyone have experience handling this issue in your organization?
3. Can Enterprise edition handle this issue?
I appreciate your help. Thank you.
We are using ProcessMaker Community version 3.3. We plan to give users from different departments PM_FACTORY permission to create workflows and triggers on their own. I noticed end user can inject any PHP code into triggers. That means if someone has a good programming skill, they can exploit the system. For example, they can read/write data in the database with SQL statements. They can get file content on the server using PHP code.
1. Is there a way to limit trigger permission or user's access to trigger?
2. Does anyone have experience handling this issue in your organization?
3. Can Enterprise edition handle this issue?
I appreciate your help. Thank you.