For security reasons we are using access rules and Xpath constraints. Should the Xpath constraint (path to user) be set for each role separate or can I combine more than 1 module role for 1 Xpath Constraint? I am now facing security issues with Mendix and can I read all records of the object while the access rules and Xpath constraint are set for the module role connected to to user who is logged in. (using Xpath injection / BURP Suite)
The xpath constraint to the user can be combined for multiple module roles.
Let's say you have a user and an admin in a module as roles, then you can define the path to the user for both module roles. You do need to take something about the permissions that you define into account a the permissions cannot be empty and only contain an xpath to the user.