0

I have been working on a large project for about 4 months. We have a "lead" that I constantly question.

The rules of the project (from the customer who has no background in IT) are

  1. Only JavaScript will be used (Kendo UI package for CRUD).
  2. It is to be "secured" with SSO - ADFSv2/ACS
  3. It must have use Odata to interact with the database.

Please correct me if I am wrong, but does this not mean

  • A. This is clearly insecure. (after the initial login)
  • B. How can Kendo even handle database interaction (correctly) if it must update multiple tables?

There is another programmer currently working on a similar project and he is using Node.js for a web app that interacts with a Database. Doesn't this suffer from a similar issue? How does this client side CRUD work security and accurately?

Paul S.
  • 64,864
  • 9
  • 122
  • 138
Roo
  • 427
  • 1
  • 7
  • 16
  • _Node.js_ is run on the server-side. Maybe relevant: http://stackoverflow.com/questions/5818312/mysql-with-node-js – Paul S. Aug 28 '13 at 12:09
  • Does Node.js render the page and send it back to the client? In the project, we were using client side packages like Kendo Ui and http://jaydata.org/ to interact with the database. – Roo Aug 28 '13 at 12:14
  • _node.js_ is (usually) entirely server side, generates the page and sends it upon request to the client, much like any other server-side language. http://howtonode.org/hello-node – Paul S. Aug 28 '13 at 12:19

1 Answers1

0

Correct me if I am wrong, but it seem to me that you think that javascript directly access the database.

For that I see, Javascript is only used to manage the UI, and to contact (with Ajax ?) the server to update/create/delete entities.

It isn't insecure, but developers must ensure that the requested user's action is permitted (on server side).

Example : For a DELETE requested URL like https://myServer/myApp/Person/1, an user can modify this URL like https://myServer/myApp/Person/6 or https://myServer/myApp/Work/1.
So it must be verify that the user can delete a Person with id=6, or a Work with id=1.

vdubus
  • 446
  • 3
  • 16
  • In this scenario we are using an Odata Service. Which I guess could be secured. It could check to ensure the data sent is the correct format and the user is correct..etc Normally when I work with Ajax, the ajax calls a php script and that script checks the content then writes to the database tables. Although, using Odata and Ajax, can I write to multiple tables? From my research on Odata, it appears to be very simple to setup, however, adding all of the extra checks and database writing just feels like writing pure php or rails... – Roo Aug 28 '13 at 12:30
  • I don't know this framework personally, but it seems (from its online presentation) to allow you to customize some services for more advance feature. For the extra checks problem, I would say that I don't know of a framework which solve them all by itself. ^^ – vdubus Aug 28 '13 at 17:02