Rock Security
See https://community.rockrms.com/developer/videos/70 (from the beta launch at CITRT 2014)
Block Security Order
Entity Parent Authority
Block Security Actions
Entity Type Security (Admin UI)
Custom Action Verbs
PersonActionIdentifier The RSVP system uses our newer 'non-security' type identification token generator (called PersonActionIdentifier) which identifies a person for only one particular action. In this case, the person token that's generated is bound to the 'RSVP' action and only that RSVP block would decode the identity token along with that 'RSVP' key/string. To put it another way, the person is not actually authenticated in Rock. They are only identified as that particular person for that particular action. There are some additional details in the Lava documentation here: https://community.rockrms.com/lava/filters/person-filters#personactionidentifier
IdKey IdKey is a way to not expose the ID number (and not have something as long and complex as a Guid in the URL). Starting with Rock v14 Obsidian blocks, the IdKey can/should be used instead of IDs -- especially in public facing blocks.
Developing with security in mind
Never use
HiddenField
for Ids or Guids without revalidating them upon postback.
Last updated