Session protection

Metrici provides powerful features for defining and running server-side processes. Although these features are strongly protected by the built-in security, it is good practice to disallow the most powerful functions from normal user sessions.

Metrici session protection does just that.

Session protection is switched on by default. When session protection is switched on, you cannot:

  • Run scripts other than those that have been marked as protected.
  • Edit scripts that are marked as protected.
  • Edit other important data that has been marked as protected.
  • Submit services though the settings page.
  • Run web services that may update protected data, such as NodeImport.

You can switch off session protection on the Settings page. You will be asked for your password. Session protection will stay switched off until you switch it off, or until you sign out.

You can mark data as protected by adding the protected tag (system.PROTECTED_TAG) to a node or a member type. If you add it to the node, the node can not be edited with session protection switched on. If you add it to a member type, members of that type can not be edited with session protection switched on.

The standard script types and script bindings are protected.

Session protection is not applied when making services calls from scripts or through the web services interface outside of a browser session. Services that may update protected data should test for the protected parameter, and raise an error if protected is set to true. It can be tested by adding the parameter <protected>true</protected> to service calls.