1 Reply Latest reply on Apr 22, 2015 11:56 AM by butch

    Creating a custom tile - what could possibly go wrong?

    Ted Hopton

      We're working on a custom tile to display dashboards from INNOTAS, and Luann Dalton has succeeded in getting one working that allows the user to paste in a configuration string (in this case the URL for displaying the dashboard). While this is great progress for meeting a specific requested use case in our company, I'm starting to wonder what could go wrong if we deploy this tile in our production environment.

       

      No Way to Restrict Access to a Custom Tile

      Am I correct in thinking that when we deploy a custom tile there is no way to restrict which users have access to it? So, deploying it for our specific user who requested it means that anyone else with an account can also use the tile, right?

       

      This seems a bit risky to me.

       

      Security Concerns about Users Inserting Configuration Strings

      We want our specific user to be able to insert configuration data for his many different dashboards that he needs to display. However, what could happen if someone inserted other configuration strings? Really, what is the worst that could happen? Is this a terrible thing to do from a security and risk standpoint?

        • Re: Creating a custom tile - what could possibly go wrong?
          butch

          Hi Ted,

           

          I'm no expert, so take below with a grain of salt - there may be other ways to accomplish this I don't know about!

           

          Restricting Access

           

          If this is a "CUSTOM_VIEW" tile, you could implement the desired security on your applications end.  The Jive tile view is just an endpoint that can be used to load additional data.  You can read any further request made your system from Jive, and allow/deny accordingly.

           

          Security from Config Strings

           

          I'd just validate the config when you read it out from jive.tile.onOpen.  If it's not what is expected - reject.