Scada-LTS Fixed permissions for script execution

Fixed permissions for script execution

Open Limraj opened this issue 3 years ago • 0 comments

Description Although the user does not have set permission for the point, when invoking the script from a view, he can modify its value.

To Reproduce

Create datasource ds_1 (virtual)
Create datapoint dp_to_read (settable, no change, numeric)
Create datapoint dp_to_set (settable, random, numeric, xid: DP_TO_SET)
Go to 'Scripts', and create script sc_1 with : a) Add dp_to_read in "Context points" and set var name var_dp_to_read; b) Check "Datapoints commands" and set name val; c) In text field "Script" set: "val.writeDataPoint('DP_TO_SET', var_dp_to_read.value);"; d) Check script by click "Run" -> if "Executed successfully" is ok;
Go to 'Graphphical Views' and create graphical view gv_1: a) Select "Button (script)" in "Components:" and click "Add component to view" as cmp_to_setting b) Find cmp_to_setting, click "Edit static content", set script sc_1, and click save on component; c) Select "Simple point" in "Components:" and click "Add component to view" as cmp_to_reading d) Find cmp_to_reading, click "Edit static content", select point dp_to_set, and click save on component; e) Select "Simple point" in "Components:" and click "Add component to view" as cmp_current_value f) Find cmp_current_value, click "Edit static content", select point dp_to_read, and click save on component; g) Click save on view;
Go to 'Users' and create user usr_1;
Go to "Users profiles" and create profile prof_1 with read permission for dp_to_set, set for dp_to_read and set or read for gv_1 and save;
Login on usr_1 and go to "Graphical views", set value in cmp_current_value, click on cmp_to_setting -> see change on cmp_to_reading -> error;

Similarly, you need to check anonymous access, you can use the lead from the scenario above, and perform additional steps:

Specification

Nov 26 '21 10:11 Limraj