In detail view pages, it is common for the URL to include a recordId parameter at the end to specify which record the user wants to view the details of.
Currently, a nefarious user can type some random characters for that record ID in the URL and instead of directing them to a 404 or 401, Softr still attempts to render the detail view page.
If you have a form on that page/view, e.g. to create a new related record, the user is still able to submit the form. This becomes a problem because new orphaned records can be created by an abusive user.
Concrete example:
- You have a Projects table and a Tasks table in your softr DB
- You have a page which lists projects, e.g. /projects-list , and a detail view link on each row in the list to access the project’s details page e.g. /project-details
- On that project’s details page, you have a list of all tasks related to the project and a form to create a new task. It uses hidden fields to pull in the project’s record ID and associate the new task with the project currently being viewed.
- As a nefarious user, I can modify the record ID in https://app.mydomain.com/project-details?recordId=12345…. so be some bogus numbers
- Then I can submit the form and create a bunch of bogus tasks not associated with any project, clogging up the database with junk when I may not have even had access to any projects at all. These orphaned tasks won’t be seen in the application by anyone since not associated with a project.. they would only be visible by looking at the softr DB in the builder studio.
In general, it’s best security practice to throw an error instead of rendering a view if the user is attempting to access the view using an invalid key.