Why all of your server-side redirects are insecure

It might suffice to just put them onto the triggers and not every action.

The link @ihsanzainal84 provided is very helpful. The manual would seem to imply, in order to make the most use of the conditions on the triggers, to use ‘user is logged in’ as the beginning of the expression to force a server side evaluation.

I’d imagine just using 'current user is logged in and current user role is X' on the trigger and not every action will have the effect of securing the entire series of actions associated with the trigger, forcing a server side conditional evaluation to make it even more secure, and only costs 0.02 WUs as an individual data request, likely for the current user portion of the conditional (WU logs do not go into detail about the individual data request so I can not confirm this was for the conditional evaluation or if it is just standard first load of current user that I believe takes place when a page is loaded.)

Actually, when doing a simple test, I have a trigger with conditions and a single action to create a new thing.

First time running this, by pressing the single button on the page, I got the following WU usage.


To test if the individual data request came from the conditional evaluation on the trigger, in the form of an individual data request to fetch the current user, I added another button to page with a simple condition of current user role is x.

In that test, I did not press the button with the trigger. On that test, simply got a page load WU and no individual data request charge.

When I ran the test a third time, with the two buttons, and pressing the button with trigger, I got same result as first time, which was page is loaded and individual data request. Now, since the second test still had a condition to evaluate if the current user role is X on the button, my assumption was that the conditional evaluation of current user role is X would have incurred an individual data request, but it did not.

So, I ran fourth test, which was same as third (ie: two buttons, click one with trigger), however, I removed the action to create a blog post (which didn’t run in first test because of the condition on the trigger). And of course, this fourth test uncovered something that is strange to me in how WUs are charged.

In the fourth test, with a trigger with conditionals on a button click, but no action to create a thing, and pressing the button, there was no individual data request charge, only page load charge. This seems to be a bug of some sort in that we get charged for an individual data request when an action to create a thing doesn’t run because the condition on the trigger evaluates to false.

3 Likes