How to check an user input against a process variable in Bonita 7 ?

Submitted by Quentin Choulet on Tue, 12/15/2015 - 11:56
1
0
-1

Hi,

I can't access any process variables from a constraint script. According to the documentation, it's normal because constraints has been designed this way.

So, how can I perform advanced checks on user input ? If I do it with a script after the task has been submited, I have no way to inform the user something was wrong with his input. If I check the user input on the client side, anyone can easily bypass it.

I could make my own API to execute tasks and define my own constraints without limitations but it seems a bit overkill.

Any idea how to simply check a user input against a process variable ?

Regards

bonita7
constraint
validate form input
1 answer

Submitted by Sean McP on Tue, 12/15/2015 - 15:12
1
+2
-1

Use a process variable as a hidden field, example of using a process vairable can be found here,

http://community.bonitasoft.com/project/process-variable-example

then use javascript to do the validation...

regards
Seán

PS: If this answers your question, please mark as Resolved

Comments

Submitted by Quentin Choulet on Tue, 12/15/2015 - 16:01

Hi,

Thank you for your answer. The problem is : javascript validation can be easily bypassed. The user just has to make a direct call to the rest api (without using my form) and the input won't be checked.

I don't want the task to be executed if the input is not valid

Permalink
Submitted by Sean McP on Tue, 12/15/2015 - 16:43

I wouldn't want a user submitting a direct call to the rest API!! Actually I don't think they can, they would have to login in first...OK, so it is possible...

But this is not a user this is a hacker, and a determined one at that. they would have to know quite a bit about your system to be able to do this.

The way I would do it is something like this.

  1. set variables = default values
  2. set message variables = null
  3. inclusive gateway - DoItAgain
  4. show form with variables and message variables
  5. user enters updated variables with their data
  6. return data
  7. do validation in Output operations under groovy set isValid Boolean
  8. gateway - if (isValid) {go to next step}
  9. if (!isValid){
  10. set error messages
  11. go back to DoItAgain
  12. }

regards

Permalink
Submitted by Quentin Choulet on Tue, 12/15/2015 - 17:21

Thank you for your answer ! I will implement it tomorrow !

I'm developing a leave management system. I'm trying to make it as secure as possible because I've been told some of the users (who are developers) might try to cheat to get extra holidays.

Regards

Permalink
Submitted by Sean McP on Tue, 12/15/2015 - 19:22

:)

Really? Developers would do that? :)

Permalink
Submitted by Quentin Choulet on Wed, 12/16/2015 - 09:18

:)

Permalink
Submitted by Sean McP on Fri, 05/12/2017 - 21:35

Ignoring the comment by caiadomino666 it's spam.

Yesterday I actually read of a programmer who not only did this but also changed the hours he worked from 40 to 60 per week therefore committing financial fraud as well...

So, yes, developers, or some at least, do!

:) :| :(

Permalink
Notifications