Wiki

Case Status Kiln
Register Log In

Wiki

 
FogBugz Plugin Developers…  "How To" Guides»Generic Database Access»Database Query Security
  
Page Collections
Attributes
Hierarchy
  • RSS Feed

Last modified on 5/11/2009 7:44 PM by User.

Tags:
permissions, security, database

Database Query Security

The FogBugz database API enforces the current user's permissions on FogBugz tables only. 

Insert, Update, and Delete Query Permissions

Insert, Update, and Delete queries are never allowed on FogBugz tables directly.  This cannot be overridden by setting IgnorePermissions to true.  Only a plugin table that begins with a plugin prefix can be the base table of an Insert, Update, or Delete query.

Select Query Permissions

Any select query that references a FogBugz table (e.g. the base table, in a JOIN, etc) is considered unsafe.  Calling GetDataSet on such a query will throw a FogBugzSecurityException if the current query references any FogBugz table.  Setting IgnorePermissions to true will override this permission check.

Example:

public DataSet GetBugDataSet()
{
    CSelectQuery query = api.Database.NewSelectQuery("Bug");
    query.AddSelect("Bug.ixBug AS ixBug");
    query.AddSelect("Bug.sTitle As sTitle");
    query.IgnorePermissions = true;
    return query.GetDataSet();
}

In this example, IgnorePermissions must be set to true before GetDataSet can be called.

Entity Query Objects

Queries that return entity objects (for example, CBugQuery) enforce the permissions of the current user and by default only list objects that the current user can read.

For objects that have read and write permissions, two properties are exposed:

  • ExcludeUnreadable: if true, the query will exclude objects that the current user cannot read.  By default this value is true, so all queries by default only include objects that the current user can read.
  • ExcludeUnwritable: if true, the query will exclude objects that the current user cannot write.  By default this value is false
For objects that specify write-within properties (see Entity Member Security), additional properties are included:
  • ExcludeUnreadableWithin: if true, the query will exclude objects that the current user cannot read within.  For example, on CProjectQuery this would exclude any projects that the current user cannot read cases in.  By default this value is false.
  • ExcludeUnWritableWithin: if true, the query will exclude objects that the current user cannot write within.  For example, on CProjectQuery this would exclude any projects that the current user cannot write cases in.  By default this value is false.

See Also

For more information on entity permissions, see Entity Member Security.