This request is to switch APIs from being unrestricted by default to restricted by default. If an API needs to be open then a “Security Unrestrict” could be added to the API.
This is a better approach to ensure data is not leaked unintentionally by Wappler developers that miss the step or do not know better.
This comes up every so often in posts and I would wager many Wapplers are exposing their data like this unsuspectingly.
I think this is a great idea. Definitely voted.
Voted, great idea.
I think a better approach is to specify which group of routes should be protected. Refer to a past topic of mine, though I don’t think a feature request is open:
Voted. ‘Restricted by default’ needs to be the default. @Apple idea of having groups of them is a good one, it’d certainly save a bit of set up time and make it easier to secure a lot of APIs with one click
But restricted how, any logged in user? Specific user?
As user role can differ it is difficult to be generic?
I mainly use security restrict in an admin environment and adding a default general restriction would just be a nuisance.
Also how will the redirect work? To a fixed url set by wappler?
Perhaps this could be managed in site settings?
These are all good questions.
Just look at AWS S3 as an example for why restricting by default should be the norm. There’s too many data leakages and mistakes that developers can make to not require explicit access.
This would have the benefit of educating newer Wapplers that do not know any better and protect long-term Wapplers from making a mistake during development.
Perhaps three new options in the security provider.
A. Default restriction.
Then two pickers for redirects if unauthorised etc.for page/route.
Any manually added restricts should override this.
Still not convinced it’s a positive option though, in my view far more api calls are typically public than are in need of security so will be more work in my opinion.
I don’t think so, personally I think that more of Wappler users develop Backends, and most of the Wappler functions today help in develop Dashboards, admin panels, etc (Login, backend stuff, etc). With that in mind, most of the API calls should be restricted and not public.
The opposite of what teodor say:
How about a specific secured api directory which is restricted? Any Action within the directory is secured by default.
@Cheese that would require users to build apps with certain assumptions, too risky to assume users will follow such convention
Last thing I want to do is spawn assumptions! After all they are the mother of all…
Maybe scrap that idea then.
Not sure how this will work out with the role option in the security restrict functionality - without adding to confusion of the existing security setup.
I do not like/want this because we use our own mechanism for security - while using Wappler’s.
If this is going to be done on Globals level as a default, I would need an option to disable it.
Hi everybody,
I would like to suggest an idea…
(I think I have read about it somewhere in here but can’t recall now…)
I suppose we all know the importance of holding our server APIs under folders.
So, I think it would be great if we could apply Security Restrictions on each folder:
Every folder comes with a default Permission of “None” (means no restriction and no action/redirection at all)
Every folder’s Restriction Permissions setup is reserving its subfolders Permissions.
This means if we want a subfolder that only a few may have perimission on it, we have to set its parent folder to “None” so the subfolder is accesseable on first level and then applied its own permissions.
Of course, I don’t know how difficult is this to be applied by the Team…
I wish it was something that can be applied!
Maybe this can help more than we think:
