aspnetmvc-405159-security-considerations-authorization-query-builder.md
DevExpress ASP.NET MVC Query Builder allows users to browse available data connections and tables. The Query Builder is integrated into both the DevExpress Report Designer and Dashboard Designer and can be used as a standalone control. To address CWE-285-related security risks, you should restrict access to data displayed within the Query Builder.
The Authorize attribute specifies authorization rules for application pages. To protect your application, apply the Authorize attribute to the controller class. Use the AllowAnonymous attribute to allow anonymous access to public actions:
namespace SecurityBestPractices.Mvc.Controllers {
[Authorize]
public partial class AuthorizationController : Controller {
[AllowAnonymous]
public ActionResult QueryBuilder() {
return View("QueryBuilder/Index");
}
}
}
Follow the steps below to implement authorization in the DevExpress Query Builder extension:
Implement a custom connection string provider to restrict access to connection strings:
Implement a custom database schema provider to restrict access to data tables, views, and stored procedures:
Register your custom providers in the Global.asax.cs file for the DevExpress Report Designer, Dashboard Designer, or standalone Query Builder: