Skip to main content

APEX 5 New Runtime API Lockdown Features

In APEX 4.x the developer could implement a feature that involves a call to the APEX API. E.g. you could create new pages on the fly if you would like to (just examine an export file for the how-to). You could drop an application using a procedure from the APEX_INSTANCE_ADMIN package. You could drop a user using APEX_UTIL.REMOVE_USER. If this is all on purpose and secured than that's fine. But maybe you created some opportunities for SQL Injection ... and someone else could use that technique to call those very same procedures. So the bad guy (or girl) could drop your application - or maybe even worse : could create a user and give himself full access to everything!
Of course you should prevent that from happening by fixing the SQL Injection holes. But next to that: You can prevent that your application uses those API's at all! And in APEX 5 that's even the default setting. So you're safe by default ;-)

But assume you really need access to those API's, there is an Application Level Security setting you can set.
So you can switch on access to API's that make changes to Applications or the Workspace. The only thing is - you have to figure out yourself what setting you should enable...
So what happens if your application has the option of creating a user on the fly - and thus calling APEX_UTIL.CREATE_USER - and you didn't switch the "Modify Workspace Repository" ?
Then you (or your user) gets this "nice" error page:
This sounds rather cryptic - and it is - but actually there is an entry in the Debug Messages with that ID. Even when you're not running in debug mode!
And this entry is:
But of course it is better to catch these errors (and all other ones as well) via an Error Handling Function. That way you can get an email when something like this happens and fix it - or be warned that some bad things are happening ....

But it's a nice additional security feature!


Comments

Popular posts from this blog

Adding items to your Interactive Grid Toolbar

The APEX Interactive Grid uses the Toolbar widget to create the default Toolbar showing the Search box, Actions menu, Save button etc. And since quite a while there is a nice Plugin "Extend IG Toolbar" by Marko Goricki that makes it very easy to add additional buttons to the Toolbar.

But what if you need more than a button? 
Inspecting the contents of widget.toolbar.js, you can easily spot there can be added more to the Toolbar than just a button: The type of control, available values:
"STATIC", "TEXT", "SELECT", "BUTTON", "MENU", "RADIO_GROUP", "TOGGLE".
The first example will show a way to easily switch from one filter to another. Of course we could use the standard functionality and create two different Report views, but using a Radio Group on the Toolbar gives a more "Tab" like user experience.

So how can we create a Radio Group that looks like a switch in the Toolbar?
In the Javascript Code …

Filtering in the APEX Interactive Grid

Remember Oracle Forms?

One of the nice features of Forms was the use of GLOBAL items. More or less comparable to Application Items in APEX. These GLOBALS where often used to pre-query data. For example you queried Employee 200 in Form A, then opened Form B and on opening that Form the Employee field is filled with that (GLOBAL) value of 200 and the query was executed. So without additional keys strokes or entering data, when switching to another Form a user would immediately see the data in the same context. And they loved that.

In APEX you can create a similar experience using Application Items (or an Item on the Global Page) for Classic Reports (by setting a Default Value to a Search Item) and Interactive Reports (using the APEX_IR.ADD_FILTER procedure). But what about the Interactive Grid? There is no APEX_IG package ... so the first thing we have to figure out is how can we set a filter programmatically?

Start with creating an Interactive Grid based upon the good old Employees tab…

apex_application.g_f0x array processing in Oracle 12

If you created your own "updatable reports" or your custom version of tabular forms in Oracle Application Express, you'll end up with a query that looks similar to this one:
then you disable the "Escape special characters" property and the result is an updatable multirecord form.
That was easy, right? But now we need to process the changes in the Ename column when the form is submitted, but only if the checkbox is checked. All the columns are submitted as separated arrays, named apex_application.g_f0x - where the "x" is the value of the "p_idx" parameter you specified in the apex_item calls. So we have apex_application.g_f01, g_f02 and g_f03. But then you discover APEX has the oddity that the "checkbox" array only contains values for the checked rows. Thus if you just check "Jones", the length of g_f02 is 1 and it contains only the empno of Jones - while the other two arrays will contain all (14) rows. So for processing y…