Don’t Expose the full web site menu to the world

Here I am with another story given to me by a recent contractor software developer that worked for me.  Unfortunately he was no longer with us by the time I discovered this, so I couldn’t share it with him.  We were converting VB desktop apps to ASP.Net MVC C# applications, converting VB classic web apps to C# and putting them all under one web portal login page.  Upon logging in, depending on your permissions or roles, you would see different menu options, applications, administrative pages, etc.

FullMenuWithoutLoginIt looks nice and functions just as we needed it.  Well some time later I was debugging a UI layout issue, viewed the source of the page to see what was being generated, and discovered that even thought the user I was logging in with was not an Administrator, the HTML to build the full menu was all right there in the page.  So you could simply find other URL’s to other applications, even though you didn’t have the permissions or the roles to get there.  He was always building the full menu, but making parts invisible to the user based on their roles by using styles and style sheets.  Who does that?  Even the home page with login screen had the full menu hidden in HTML.

No… Only dynamically build and push HTML to the web browser for the menu that pertains to the roles and permissions of the user.  Needless to say, this has been fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.