Rock Security

See https://community.rockrms.com/developer/videos/70 (from the beta launch at CITRT 2014)

  • Block Security Order

  • Entity Parent Authority

  • Block Security Actions

  • Entity Type Security (Admin UI)

  • Custom Action Verbs

  • PersonActionIdentifier The RSVP system uses our newer 'non-security' type identification token generator (called PersonActionIdentifier) which identifies a person for only one particular action. In this case, the person token that's generated is bound to the 'RSVP' action and only that RSVP block would decode the identity token along with that 'RSVP' key/string. To put it another way, the person is not actually authenticated in Rock. They are only identified as that particular person for that particular action. There are some additional details in the Lava documentation here: https://community.rockrms.com/lava/filters/person-filters#personactionidentifier

  • IdKey IdKey is a way to not expose the ID number (and not have something as long and complex as a Guid in the URL). Starting with Rock v14 Obsidian blocks, the IdKey can/should be used instead of IDs -- especially in public facing blocks.

Developing with security in mind

  • Never use HiddenField for Ids or Guids without revalidating them upon postback.

PreviousThe Rock REST APINextRock Logging Engine

Last updated