cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
jeffgreenrc
Helper II
Helper II

Web API usage on public pages

Hi,

 

I want to know if we can use Web API to perform read/create/update for public facing pages. These pages are open to anyone without having someone assigned anonymous web role? if yes, then please share any sample.

 

Will this result in any kind data leaks if possible malicious user can somehow use web api to perform different operation on table records?

 

Thanks

2 REPLIES 2
chleverenz
Advocate III
Advocate III

Hi jeffgreenrc,

we use the webapi in portals also for anonymous access. The problem you are adressing is not a problem of the web api. There could also be misuse on forms which are anonymously accessible.

 

The create/update/delete has to be set by the settings as described in the documentation ( https://docs.microsoft.com/en-us/powerapps/maker/portals/web-api-overview , make sure to read https://docs.microsoft.com/en-us/powerapps/maker/portals/web-api-http-requests-handle-errors , this will prevent a lot of headaches 🙂 ) .

Additionally you have to set the proper accessrights in entitypermissions and assign those entitypermissions to a webrole which is associated with anonymous access.

 

There is currently no read in the api as far as i know. Usually we write a liquid which issues a fetchxml and we render the response as json ( akin to https://docs.microsoft.com/en-us/powerapps/maker/portals/liquid/render-rss-custom-page-template but json instead of xml) . This could then either be put to the form as static json or it could be used as a kind of backendservice which is callable as if it was a page.

In my opinion the webapi is a little bit more secure than the formsubmission as the fomsubmissions submits every field which was customized on the form. As this customzation is in large companies done by diffrent people than those, who run the portal, there might be accidentially fields on forms which should not be public accessible.

 

If you use the webapi, you should only enable those fields, which you want to make accessible in that service.

 

I do not know of any securityissiues like injections or whatever to 'hijack' that service. It' the other way round: if you do not enabel the right things it will not work. And we have to configure a lot...

 

Hope this helps a little bit and points you to the right direction.

Have fun,

  Christian

 

Fubar
Solution Sage
Solution Sage

Just be aware that as it would be public that any data you serve should not be private.

 

Permissions to entities etc would just come from the Web Role that was set for anonymous users.  But as the user is not authenticated you cannot restrict to Contact and Account associations to the records, and so someone can open browsers developer mode (F12) and make a query from the console and get a result back (so you only want the data that is exposed to be public anyway - so it doesn't matter if they hack your page)

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Users online (75,763)