Object dropdown security considerations(对象下拉菜单安全考量)¶
Static value filters in object dropdown validations are exposed to all users who can view the action type. Use of these filters risks exposing property value combinations to users without permissions to view the filtered objects. This risk is mitigated by relying on object properties or parameters to filter the object set. The values are not directly visible in the interface.
Example: Data privacy issue¶
As an example, imagine we have a Document object with an Investigation Name property. In our action type, we add a filter on the object reference parameter to only show Documents where Investigation Name is Area 51 Investigation.

Here, we would potentially be revealing that Area 51 Investigation is a property value of some Document objects to users who cannot view those documents.
This only applies to static value filters. There is no reference to the Area 51 Investigation when filtering the Investigation Name property by a parameter or by the property of another object because:
- The
Investigation Nameparameter is user-provided. No information about the underlying data is exposed to the action type viewer. - The
Investigation Objectparameter will respect existing restrictions on object visibility for this user.
Therefore, neither of these search queries represents a data privacy concern.

Technical details¶
In most cases, the actions backend redacts sensitive information in the action type definition to avoid exposing sensitive property values. For example, action submission criteria are hidden from users who cannot edit action types. Similarly, a user will not be able to see the new object dropdown filters in the action type definition in the interface or while inspecting the response in the backend.
However, when viewing the action form, the object dropdown validation is converted into an object set. This means that users could review the network request containing this object set. In the example above, the user would receive an object set RID containing the Investigation Name = 'Area 51 Investigation' filter, revealing the existence of that property value even if they could not view any of its corresponding objects.
This means that these values will not be visible in the interface for any users. If visibility is a greater concern than security, this warning can be ignored.
中文翻译¶
对象下拉菜单安全考量¶
对象下拉菜单验证中的静态值过滤器会暴露给所有能查看操作类型的用户。使用这些过滤器可能会将属性值组合暴露给无权查看已过滤对象的用户。通过依赖对象属性或参数来过滤对象集可以缓解此风险。这些值在界面中不会直接可见。
示例:数据隐私问题¶
举例来说,假设我们有一个包含 调查名称 属性的 文档 对象。在操作类型中,我们对对象引用参数添加了一个过滤器,仅显示 调查名称 为 51区调查 的 文档。

在这种情况下,我们可能会向无法查看这些文档的用户透露 51区调查 是某些 文档 对象的属性值。
这仅适用于静态值过滤器。当通过参数或其他对象的属性过滤 调查名称 属性时,不会涉及 51区调查 的引用,原因如下:
调查名称参数由用户提供。不会向操作类型查看者暴露任何底层数据信息。调查对象参数将遵循该用户现有的对象可见性限制。
因此,这两种搜索查询都不构成数据隐私问题。

技术细节¶
在大多数情况下,操作后端会编辑操作类型定义中的敏感信息,以避免暴露敏感属性值。例如,操作提交条件对无法编辑操作类型的用户隐藏。同样,用户在界面中或检查后端响应时,将无法看到操作类型定义中的新对象下拉菜单过滤器。
然而,在查看操作表单时,对象下拉菜单验证会被转换为对象集。这意味着用户可以审查包含此对象集的网络请求。在上述示例中,用户将收到一个包含 调查名称 = '51区调查' 过滤器的对象集 RID,从而暴露了该属性值的存在,即使他们无法查看其对应的任何对象。
这意味着这些值对任何用户在界面中均不可见。如果可见性比安全性更值得关注,则可以忽略此警告。