|
3 | 3 | <!-- Блоки выше заполняются автоматически, не трогать -->
|
4 | 4 | ## Description
|
5 | 5 | <!-- Описание диагностики заполняется вручную. Необходимо понятным языком описать смысл и схему работу -->
|
| 6 | +Diagnostic finds Privileged mode setup code. |
| 7 | +For external code, such as code from external reports/data processors, this action may not be safe. |
6 | 8 |
|
| 9 | +The found sections of the code must be analyzed, a manual audit of the code must be performed for its correctness and safety. |
| 10 | + |
| 11 | +Правило находит вызовы метода The diagnostic finds calls to the `SetPrivilegedMode` method |
| 12 | +call to `SetPrivilegedMode(False)` is ignored |
| 13 | + |
| 14 | +Any export procedures and functions that perform any actions on the server with the privileged mode set unconditionally beforehand are potentially dangerous, as this disables checking the access rights of the current user. The export procedures and functions of the client API of the 1C:Enterprise server require special attention. |
| 15 | + |
| 16 | +For example, wrong: |
| 17 | +```bsl |
| 18 | +Procedure ChangeData(...) Export |
| 19 | +
|
| 20 | +SetPrivilegedMode(True); // Disable permission check |
| 21 | +// Change data in privileged mode |
| 22 | +... |
| 23 | +EndProcedure |
| 24 | +``` |
| 25 | +Correct: |
| 26 | +```bsl |
| 27 | +Procedure ChangeData(...) Export |
| 28 | +
|
| 29 | +// Changing data |
| 30 | +// (at the same time, if the user does not have enough rights to perform an operation on the data, an exception will be raised) |
| 31 | +... |
| 32 | +EndProcedure |
| 33 | +``` |
| 34 | +The exception is when the action performed by the procedure must be allowed (or the return value of the function must be available) to absolutely all categories of users. |
| 35 | + |
| 36 | +If you still need to use privileged mode within a method, you must use manual access control using the `VerifyAccessRights` method. |
| 37 | + |
| 38 | +An example of pre-checking before performing actions in privileged mode: |
| 39 | +```bsl |
| 40 | +Procedure ChangeData(...) Export |
| 41 | +
|
| 42 | +VerifyAccessRights(...); // If the user has insufficient rights, an exception will be thrown |
| 43 | +SetPrivilegedMode(True); // Disable permission check |
| 44 | +
|
| 45 | +// Change data in privileged mode |
| 46 | +... |
| 47 | +EndProcedure |
| 48 | +``` |
7 | 49 | ## Examples
|
8 | 50 | <!-- В данном разделе приводятся примеры, на которые диагностика срабатывает, а также можно привести пример, как можно исправить ситуацию -->
|
| 51 | +```bsl |
| 52 | + SetPrivilegedMode(True); // error |
| 53 | +
|
| 54 | + Value = True; |
| 55 | + SetPrivilegedMode(Value); // error |
9 | 56 |
|
| 57 | + SetPrivilegedMode(False); // no error |
| 58 | +``` |
10 | 59 | ## Sources
|
11 | 60 | <!-- Необходимо указывать ссылки на все источники, из которых почерпнута информация для создания диагностики -->
|
12 | 61 | <!-- Примеры источников
|
13 | 62 |
|
14 |
| -* Источник: [Стандарт: Тексты модулей](https://its.1c.ru/db/v8std#content:456:hdoc) |
15 |
| -* Полезная информация: [Отказ от использования модальных окон](https://its.1c.ru/db/metod8dev#content:5272:hdoc) |
| 63 | +* Source: [Standard: Modules (RU)](https://its.1c.ru/db/v8std#content:456:hdoc) |
| 64 | +* Useful information: [Refusal to use modal windows (RU)](https://its.1c.ru/db/metod8dev#content:5272:hdoc) |
16 | 65 | * Источник: [Cognitive complexity, ver. 1.4](https://www.sonarsource.com/docs/CognitiveComplexity.pdf) -->
|
| 66 | +* Standard: [Using Privileged Mode (RU)](https://its.1c.ru/db/v8std/content/485/hdoc) |
| 67 | +* Standard: [Server API Security (RU)](https://its.1c.ru/db/v8std#content:678:hdoc) |
| 68 | +* Standard: [Restriction on the execution of "external" code (RU)](https://its.1c.ru/db/v8std/content/669/hdoc) |
0 commit comments