Process "Automatic Row Processing (DML)" not obeying Form edit authorizations in attributes

0
votes

I have a region of type Form and a process of type Automatic Row Processing (DML) for this form. I've configured the form edit authorization schemes (in Attributes) for each operation: Add, Update and Delete:

Form Attributes settings

But the process doesn't obbey the authorization schemes. It always runs. Here is my proccess:

Automatic Row Proccessing (DML)

I've applied the same authorization schemes on the buttons CREATE, SAVE and DELETE, and they are disappearing accordly. But a malicious user can execute this command on browser console with success, even if the related authorization scheme returns false: apex.page.submit("DELETE");

Am I doing something wrong? Or this is a security fail?

Oracle Apex 19.1

Thanks in advance.

1
oracleoracle-apexoracle-apex-19.1

1 Answers

1
votes

I just tried this on my own APEX 19.2 application and was able to reproduce the issue. It does seem odd to me that you are able to perform these actions without having the proper authorization. Thanks for the heads up!

I was able to work around the issue by adding an Authorization Scheme to my Form - Automatic Row Processing (DML).

Since you have a CREATE, SAVE, and DELETE button, you may have to set up 3 Form - Automatic Row Processing (DML) Processes, set up each one to only execute on the When Button Presssed condition (one for each button) and assign the appropriate Authorization Scheme to each Process.