问题
We are using a Sharepoint Implementation for a customer portal. We are giving each client a site where they will have access to reports. We are using the same library of reports, each report takes a parameter that is a unique identifier for the client. The issue we are running into is that as long as you can authenticate to the system you can view the source on the page that has the report and by doing some googling you can figure out how to put together a query string to pull a report. By picking random id numbers you can pull up other clients reports.
Odds are clients will not do this, but there is always a chance and we are looking to close this hole.
Anyone else run into this? We have a some possible solutions but are hoping that there might be something simpler that we are missing.
回答1:
Within SSRS you can access the User's ID: If you create an internal parameter set to this value (=User.UserID), your queries can check to see if that user has permissions to view the requested data. (i.e. create a table with the UniqueIDs that the user is allowed to access and join to that.)
Combine this with the unique ID parameter, and you should be covered.
回答2:
If you set up item level permissions for each report you shouldn't have this issue.
来源:https://stackoverflow.com/questions/5396253/sharepoint-2010-ssrs-2008r2-security-hole