MatchPoint 3.1.4 is released and it comes with some new features and changes, including bugfixes as well. This blog post provides a description about the most important changes and features.
Configuration: Web Part Security
The following two changes are intended to control security-related behavior.
MatchPoint basically provides a flexible configuration mechanism for web parts: They can be stored centrally or locally, a central web part can be copied to a local web part configuration. Data aggregation can be done either within the current user context
or within the context of an elevated user (e.g. "RunAsUser" configuration element in a ListItemDataApapter).
To avoid abuse of these flexible mechanisms the following two changes were implemented.
Disable / restrict local web part configurations
This parameter in the MatchPoint configuration controls the behavior for security-related configuration elements in local web part configurations such as "RunAsUser" or the "ToggleView" switch.
The table below shows the possible parameter values:
||Copy to Local
||Allows to copy central web parts to local configurations.
||Copy to local is disabled, local web part editing not possible.
||Editing of central web part configurations possible (security-related elements are shown), local web part editing general not possible.
||Copy to local is enabled, local web part editing is possible.
||Enabled for central web part configurations, restricted for local web part configurations.
Security Token for Web Parts with Central Configuration
With MatchPoint 3.1.4 it is possible to download a Web Part Definition file (".dwp") from the MatchPoint user interface. The ribbon button "Export Web Part Definition" is shown for all central web part configurations. The ".dwp" contains the type name of
the web part configuration, the configuration file name and a configuration file token. If a .dwp file is downloaded, the ConfigFileName could be changed easily and the dwp can be uploaded again. This represents a possible security leak (users could have Access
to configuration files they are not allowed to use).
To avoid this, the security token was introduced. If the configuration file name does not match the security token an error message is shown: "Invalid configuration file token".
Workflow Kit: Run Workflow As Current User
A workflow running on a list item always opened the list item as system account. This flag can be set in the MatchPoint configuration to open the list item with the current user.
Configuration: Culture as Pattern String
The "Culture" configuration element in the provisioning configuration (Level "WebDefinition") is now a pattern string.
Allow Custom values for BaseTemplate
The "BaseTemplate" configuration element in the provisioning configuration (Level "WebDefinition") now allows custom values.
Configuration: Web Part Page Definition available in Provisioning
A web part page definition can be used in a list definition (items collection) and allows to use a template to create the page with it.