RNB-IT

Security - related fields blank with FM server.

25 posts in this topic

We have record based security enabled with the security tab. the global var are loaded with data after the login of the user.

The rule is for viewing the Company data: 

If ( $$Account.Access_ALL ; 1; not IsEmpty ( FilterValues ( $$Account.Access_ID ;  _id  ) ) ) 

the _id field is for the Company, the rule is in context of the @Company table.

for the address table we have the rule 

( If ( $$Account.Access_ALL ; 1; not IsEmpty ( FilterValues ( $$Account.Access_ID ;  _id_company  ) ) ) )

_id_company is on the Address table, the rule is in the context of @Address table

when we relate the Company to the Address table with the data is correct displayed  on two separated layouts (one Company with data LA_Company and one Address with data LA_Address), and than the security works as expected for both layouts.

but when we make one layout LB_Company with an portal to LB_Address-Company  than on the version which is hosted on the server the portal with Address data is blank, but that's not the case when runs in the standalone version?

any suggestions are appreciated.

Thanks.

Share this post


Link to post
Share on other sites

Is the portal to @Address, or to another table occurrence of @Address?

Please consider when you use global variables for security, they can be viewed and modified using the data viewer.

Share this post


Link to post
Share on other sites

Please note Tom Fitch's comment about variables. They generally should not be used in Record Level Access Calculations, which is what it sounds as if you are employing here.

 

Steven

Share this post


Link to post
Share on other sites

I have found that $$vars fail on hosted files when used in RLA. Use global fields.

 

see this thread

Edited by bcooney

Share this post


Link to post
Share on other sites

RNB-IT may have accidentally reported Tom's post instead of replying to it. Here is the content of his reply:

It was another TO, LB_Address-Company.

I Know about the $$vars are visible in the data viewer and is an not so good idea for security, but a global field is also not working correctly in the FMS 14.  So i want drill down to the level it works, and than move (upgrade) to an more secure solution.

When we use a privilege table with global fields for acces and connect the privilege table with an cartesian link (x) on the layout table LA_Company than still the portal is not showing the information in FMS 14, but standalone FM14 no problem at all.

Share this post


Link to post
Share on other sites

Josh: Yes that's true pressed the wrong button 

Share this post


Link to post
Share on other sites

What if you add a Refresh Window[flush cached...] ?

By the way, you don't need a join, cartesian or otherwise, to access global fields. You can read and write to them regardless of context.

Share this post


Link to post
Share on other sites

Fitch: No succes same problem, security works in FM 14 but not on FMS14.

I will prepare an file database for upload... 

Share this post


Link to post
Share on other sites

Here is a test file,  in the standalone version it works as expected, upload the version to an FMS14 and no data is shown in the portal.

to have full access use admin password admin

to have limited record acces use: name: hans password: hans

all suggestions are welcome 

TestApp.fmp12

Share this post


Link to post
Share on other sites

The file does not want to open... (The translator for this file....)

Could it be a timing issue / order of sequence issue?  If the relevant part of the RLA calc is not updated *before* the RLA calc fires then the RLA result may not give you want you need.

 

 

 

Share this post


Link to post
Share on other sites

Hi, maybe this one will open, (compressed .zip) what can i do si that the RLA is updated correctly

TestApp.fmp12.zip

Share this post


Link to post
Share on other sites

Nope, even the zip file won't uncompress.  "Unarchiver" says the file is not complete.

I did some troubleshooting on this about 6 months ago.  One way to help you see what is happening is to do this:

1- change your RLA calc so that it starts with this:

Let(

$$log = List( $$log ; "priv set evaluated at " & get(CurrentTimeUTCMilliseconds) ) ;

<rest of your calc here>

)

2- on your layout put a field in the top left corner and use conditional format to give it this calc.  Make sure this object is completely sent to the back of the stacking order

Let(

$$log = List( $$log ; "first object drawn on layout " & get(CurrentTimeUTCMilliseconds) ) ;

1
)

3- on your layout put a field in the bottom right corner and use the same cond format calc but to say "last object".  Make sure this object is completely brought to the front of the stacking order

4- whatever script that sets your RLA calc relevant parts: make it log the same way too.

Now whenever you log in and go to that layout you will see a log of the exact sequence of events, when things are drawn and when things get evaluated.

Back when I looked at it, I noticed there is a very real difference in the sequence when you use a global field vs a variable.

Once you understand the sequence you'll see where you can tweak it.  Note that we don't have full control over that sequence, some of it is completely governed by FM.

 

 

 

 

1 person likes this

Share this post


Link to post
Share on other sites

Hi,

thanks for the explaintion of the log files, very nice, but still can not get the security rules working on the server version.

what i see is that in the log files of the server version the portal is only evaluated for record number 0, (new records), but not for the record that should be displayed.

STANDALONE

first object record# 1 at 63572836260608
priv PERSON set evaluated record# 1 at 63572836260608
priv ADDRESS set evaluated record# 8 at 63572836260609
priv ADDRESS set evaluated record# 1 at 63572836260609
last objectevaluated record# 1 at 63572836260610
first object record# 1 at 63572836260610
last objectevaluated record# 1 at 63572836260610
priv PERSON set evaluated record# 1 at 63572836260611
priv ADDRESS set evaluated record# 1 at 63572836260611
PORTAL Fieldevaluated record# 1 at 63572836260611
PORTAL Fieldevaluated record# 1 at 63572836260611
priv PERSON set evaluated record# 1 at 63572836260615
priv ADDRESS set evaluated record# 1 at 63572836260615
priv ADDRESS set evaluated record# 1 at 63572836260616
priv ADDRESS set evaluated record# 0 at 63572836260617
priv ADDRESS set evaluated record# 0 at 63572836260617
priv PERSON set evaluated record# 1 at 63572836260618

SERVER OUTPUT

first object record#: 1 at 63572836436271
priv PERSON set evaluated record#: 1 at 63572836436271
last object record#: 1 at 63572836436279
first object record#: 1 at 63572836436280
last object record#: 1 at 63572836436280
priv PERSON set evaluated record#: 1 at 63572836436280
Portal Field object record#: 1 at 63572836436281
priv PERSON set evaluated record#: 1 at 63572836436284
priv ADDRESS set evaluated record#: 0 at 63572836436285
priv ADDRESS set evaluated record#: 0 at 63572836436289
priv PERSON set evaluated record#: 1 at 63572836436291
priv PERSON set evaluated record#: 1 at 63572836438391
priv PERSON set evaluated record#: 1 at 63572836438391
priv PERSON set evaluated record#: 1 at 63572836438391
priv PERSON set evaluated record#: 1 at 63572836438392
priv PERSON set evaluated record#: 1 at 63572836438410
priv PERSON set evaluated record#: 1 at 63572836438410
priv PERSON set evaluated record#: 1 at 63572836438411
priv PERSON set evaluated record#: 1 at 63572836438411

 

 

Share this post


Link to post
Share on other sites

How exactly are you trying to create the copy of the file (TestApp) before you attempt to zip and upload it?

Share this post


Link to post
Share on other sites

This seems so similar to the issue I experienced. Have you tried global fields?

Share this post


Link to post
Share on other sites

Yes also with Global fields i have the same results.

I think i made the mistake to leave filemaker open and than made the archive, but here it is.

compressed with standaard OSX 10.10.4

TestApp.fmp12.zip

Share this post


Link to post
Share on other sites

A couple of things.

A calculation like this is a monster; don't nest function calls if you want to be able to read it and understand it next week, or by anyone else that needs to look at it.

Let(

$$log = List( $$log ; "priv ADDRESS set evaluated record# " & Get (RecordNumber) & " at " & Get(CurrentTimeUTCMilliseconds) ) ;

( not IsEmpty ( FilterValues ( FilterValues ( Get ( AccountExtendedPrivileges ) ; SC_Users::privileges ) ; "Address1View" ) ) )
	and 
( If ( SC_Users::access_all ; 1 ; not IsEmpty ( FilterValues ( SC_Users::accesss_id ; _id_Person ) ) ) )
)

 

Break it down in manageable statements inside the Let() function.  I have no idea what I'm reading here.

The other thing to consider is to think hard about the "evaluate this calculation from the context off" in the top left corner of the priv set calculation (as with any other calculation)...

 

 

Share this post


Link to post
Share on other sites

At the very least, add a comment that expresses in normal english what should happen so that someone that reviews can check the purpose against the actual.

 

As was written in Structure and Interpretation of Computer Programs (aka SICP), the seminal textbook of programming taught for years at MIT, “A computer language is not just a way of getting a computer to perform operations … it is a novel formal medium for expressing ideas about methodology. Thus, programs must be written for people to read, and only incidentally for machines to execute.” A great program is a letter from current you to future you or to the person who inherits your code. A generous humanistic document.

As a last thought for tonight, I'm note sure that Get(RecordNumber) in a priv set calc is the same as the Get(RecordNumber) that you think the user is looking at.  Use the primary key of the record for the logging function to be certain.

Edited by Wim Decorte

Share this post


Link to post
Share on other sites

The file is still unreadable.

This is just really basic stuff; it is hard to see why you're having a problem with this.

It is NOT in a Dropbox folder, right?

It is NOT being served by FileMaker Server, right?

If locally opened, you really did QUIT FileMaker right?

Share this post


Link to post
Share on other sites

Hi BruceR

NOT in a dropbox folder, NOT served By file maker, File maker Closed, and on all my other computers i can uncompress the without any problem. I think that the fmforums upload is the problem, there is something going wrong at that point, maybe file size?

If you like send me your email and i will we-transfer it.

 

Share this post


Link to post
Share on other sites

Hi Wim,

You're are right, nesting could be difficult to read, but there is only one nesting in both lines...

1 line:

Your line,  with one statement more, to see where the switch is in the $$log between two records, and i will set it to the primary key.

2 line:

Has the user (group) the rights that are defined in the extended privilege set, 

and is the result correct to see the information as defined.

3 line

has the user rights to see all information , or is it limited to just a few records.

In an let statement it would not be much better:

let (  [

// get the user rights to access the table
~privilegeUser =FilterValues ( Get ( AccountExtendedPrivileges ) ;  SC_Users::privileges ) ;
~privilegeDef = FilterValues ( ~privilegeUser ; "Address1View" ) ;
~privilegeAccess = not isEmpty ( ~privilegeDef  ) ;

// get the user rights to access the records by id 
~idUser = FilterValues (  SC_Users::accesss_id ; _id_Person ) ; 
~idUserAllowed = not isEmpty ( ~idUser ) ;
~idAcces = If ( SC_User::access_all and ~idUserAccess ; 1 ; 0 ) ; 
// result
$result = If ( ~privilegeAccess and ~idAccess ; 1 ; 0 ) ]

$result )

The last part for the _id's  is necessary for displaying related information on the same layout with the appropriate rights for the user.

On part of the " evaluate this calculation from the context off":  because the calculation is one that has to be universal for ALL layouts, i use a separated TO's structure, with connections based on the AccountName.
 

I,  see one typo error

~idAcces = If ( SC_User::access_all and ~idUserAccess ; 1 ; 0 ) ; 
should be
~idAcces = If ( SC_User::access_all or ~idUserAccess ; 1 ; 0 ) ; 
 

Share this post


Link to post
Share on other sites

Here's my version, wrote it on the plane-ride to Las Vegas

 

Let(
[
$$log = List( $$log ; "priv ADDRESS set evaluated record# " & Get (RecordNumber) & " at " & Get(CurrentTimeUTCMilliseconds) ) ;

_has_all_access = if( SC_Users::access_all = <what?> ; true ; false ) ;

_user_privs = FilterValues ( Get ( AccountExtendedPrivileges ) ; SC_Users::privileges ) ;
// why this?  why not just tke the Account ext privs?


_has_address_view = if( isempty( FilterValues ( _user_privs ; "Address1View" )) ; false ; true ) ;

_owns_record = if( IsEmpty ( FilterValues ( SC_Users::accesss_id ; _id_Person ) ) ; false ; true )

];

case(
_has_all_access = true ; true ;
_has_address_view = true and _owns_record = true ; true ;
false

)

)

 

Note that I'm a lot more explicit in the IF statements.  One reason for that for instance is where you do IF(

SC_Users::access_all

)

 

That field is a text field so it can contain pretty much anything.  If I read your calc I have no clue what you are testing in the IF.  I can ASSUME it will contain 1 or 0 but why not just be explicit so that there are no assumptions?

Share this post


Link to post
Share on other sites

Hi

_user_privs = FilterValues ( Get ( AccountExtendedPrivileges ) ; SC_Users::privileges ) ;
// why this?  why not just tke the Account ext privs?
when there is a version update of my application not all users have to (re)set a new password,  the administration of all users is from an table Users, i known security wise it is better to add the users in filemaker, but you can limit the access to this table in a way that the table is only available for Admin (full access) or a few moments at the log-in window, and otherwise it is only readonly. The password is stored as MD5 in the file and all other security fields should be memory based (globals), this configuration is not yet set in the testApp.
 
SC_Users::access_all
of course the value is only 1 or 0, may be it's better to use the custom function like  #boolean ( SC_Users::access_all ) than it's even more flexible, reusable than hard coding.

I like the discussion about the style of coding and readablity of the coding, that's is every important, but the record level privilege problem in Filemaker Server is still an issue... andi really want to solve it.

 

Share this post


Link to post
Share on other sites

 

SC_Users::access_all
of course the value is only 1 or 0
 
Nothing "of course" about it.  The field is empty in your test file and it is a text field so it could be a lot of things including multiple values.  Easy to make a mistake there and your code offers no comments or other explanation.
 

 

I like the discussion about the style of coding and readablity of the coding, that's is every important, but the record level privilege problem in Filemaker Server is still an issue... andi really want to solve it.

 

The two go hand-in-hand so don't dismiss it.  You're asking us to look at your and help figure out what the issue could be; we can't do that if the code is not transparent.

As Barbara already indicated and I have too; this kind of issue behaves differently when using variables vs. global fields and in both our cases it worked as expected when using global fields.  Given that, I'm still trying to determine if there is anything in your code that is not what you expect it to be.

 
 
 

Share this post


Link to post
Share on other sites

Hi I got the problem.... <missing index> warning for the records /fields in the table SC_Person and SC_Address.

The structure of the tables in the graph, in basic a "selector - connector" soultion:

SC_USERS  -- SC_Person  ( link on username   =   ACCOUNT.NAME )

ACCOUNT.NAME is a calculated field with the value $$Accountname, which is initialized at the log-in screen.

SC_USERS is connected to the layout table with x_Joins  according to the selector connector solution.

If we place one field  from the SC_Person on my layout it says <missing index>.

When we change the link to an x (cross)

SC_USERS  -- SC_Person  ( on username   x   ACCOUNT.NAME ) it works.

And the link is only used to see all files, so the ACCOUNT.NAMe can be removed and use the x_Join field.

thanks for all the assistance and ideas, for coding

Ruud

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • By hi-voltage
      What is Code-X?
      Code-X is a free FileMaker Developer Tool that lets you restrict features within your own demo FileMaker Solutions and unlocking them for paying customers with license codes.
      We used to charge AU$450 (US$350) for Code-X but are now giving it away for free to the FileMaker community.
      So what can you do with Code-X?
      Add 30-day trial periods Restrict features within your demo solutions Limit the number of records unregistered users can create Limit the number of users that can use your solution Create different tiered licenses such as Basic and Pro Add nag dialogs to prompt unregistered users to register Lock your paid solution to a device to prevent piracy Generate and issue license codes that unlock your FileMaker solutions for paying customers More Information
      To download the latest version, or for more information visit:
      FileMaker Developer Tool - Code-X
      Code-X was developed by Hi-Voltage, you can visit our site here:
      FileMaker Programer Melbourne
      Checkout our other FileMaker related products and services here:
      FileMaker Products and Services

       

       
       
       
       
    • By hi-voltage


      View File Code-X - FREE FileMaker Developer Tool
      What is Code-X?
      Code-X is a free FileMaker Developer Tool that lets you restrict features within your own demo FileMaker Solutions and unlocking them for paying customers with license codes.
      We used to charge AU$450 (US$350) for Code-X but are now giving it away for free to the FileMaker community.
      So what can you do with Code-X?
      Add 30-day trial periods Restrict features within your demo solutions Limit the number of records unregistered users can create Limit the number of users that can use your solution Create different tiered licenses such as Basic and Pro Add nag dialogs to prompt unregistered users to register Lock your paid solution to a device to prevent piracy Generate and issue license codes that unlock your FileMaker solutions for paying customers More Information
      To download the latest version, or for more information visit:
      FileMaker Developer Tool - Code-X
      Code-X was developed by Hi-Voltage, you can visit our site here:
      FileMaker Programer Melbourne
      Checkout our other FileMaker related products and services here:
      FileMaker Products and Services

       

       
       
       
       
      Submitter hi-voltage Submitted 03/21/2017 Category Solutions FM Version FM Version: Not Applicable  
    • By balooka
      Hi I'm running FMS server and have daily and hourly backups. I'm not using cloning and I do verify integrity. Today we ran into a major problem were some data was deleted and I wanted to use a backup and restore the data. I moved the backup file to a local machine (away from the FMS and to my local FMA 14) to check if the data we deleted was stil there. But the whole file is empty?! All backups are empty, zero records. The file size is large enough to assume it should be there but there simply is nothing. 0/0 records shown.
      I'm not cloning for sure! I have made a new rule for backup and ran it right away and the data is still gone! So all 99 rolling backups are useless. I need this fixed as this is absolutely unreliable now. We assumes we had plenty backups, when there is actually no backup at all.
       
      PLEASE HELP.
       
      ps. Stopping the DB and downloading it results in yellow/red/green icons but I don't see it anywhere. Everything is on Macs and the FMS is running at another location.
       
    • By ernst
      I had to migrate a Mac OS Mini Server running Mavericks 10.9.5 and Filemaker Server 13 to Filemaker Server 14.0.4 on El Capitan 10.11.6 today.
      It turned out to be an unpleasant and tiring operation, so I wrote a little manual that hopefully can help and save time for other people running into this situation.
      Some steps my not be necessary, but the following list describes the road I took, stumbling from one problem to the next.
      Rest assured that I left out a lot of swearing and three letter words that were also part of the process ;-)
      Greetings Ernst
       
      Backup your databases, stop and de-install any previous Filemaker Server version. 
      The Filemaker 13 de-installer is located in the Extra’s folder on the Filemaker Server 14 installation disk image.
       
      Install El Capitan 10.11.6 + updates 
       
      Do not install OS X server ( yet ) - see the notes at the end of this little manual.
       
      Remove the Java version installed with Mac OS - in my case Java 8 update 111.
      Steps from the Oracle website:
      In the Terminal window Copy and Paste the commands below:
      sudo rm -fr /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin 
      sudo rm -fr /Library/PreferencePanes/JavaControlPanel.prefPane 
      sudo rm -fr ~/Library/Application\ Support/Java
       
      Install the version required by the 14.0.4 Filemaker Installer: Java 8 update 60 before installing Filemaker.
      Installer is called: jre-8u60-macosx-x64.dmg
       
      After creating an Oracle account and logging in it can be downloaded from:
      http://www.oracle.com/technetwork/java/javase/downloads/
      - Scroll all the way down and click Java Archives
      - Click Java SE 8
      - Scroll down to Java SE Runtime Environment 8u60
      - Click Accept License Agreement
      - Download jre-8u60-macosx-x64.dmg
       
      The Filemaker installer is supposed to install this Java version by itself, but in my case it appeared to contain the Java 8 update 31, causing a loop within the Filemaker installer, repeating the process of installing the wrong version.
       
      Get Filemaker fms_14.0.4.412.dmg. 
      Use the full installer!
      In my case installing an earlier version and running the updater did not work - the updater to 14.0.4 hung during installation.
      Filemaker also advises this but unfortunately chose not to put the full installer on their website, so I had to Phone Filemaker support and supply the original sales contract number. After providing these details they mailed a link to the 14.0.4 full installer.
       
      Install fms_14.0.4.412.dmg 
      Because I was planning a co-install with OS X Server App I used port 8080 and 8443 in stead of the standard 80 and 443 during the setup.
      Also I did not enable web publishing and ODBC/JDBC during installation because I desperately wanted to get the normal services working.
      Do not start Deployment when the installer finished but click Quit in the finishing dialog.
       
      Next step is to stop the server process via the terminal, as per Filemaker’s instruction: type or paste sudo launchctl stop com.filemaker.fms in a terminal window, enter and administrator password when required.
      In my case I had to restart the Mac and do this last step again after a fresh restart, before the FileMaker Server 14.0.4b Software Patch wanted to run without complaining about the Server being running.
       
      Run the FileMaker Server 14.0.4b Software Patch from http://help.filemaker.com/app/answers/detail/a_id/15575
      Note that this installer will update your Java version to Java 8 update 66, in my case this went without any hiccups.
      Log in to the Admin console using the FMS 14 Admin Console.webloc shortcut placed on the Desktop by the installer.
      Alternatively point your browser to http://localhost:16001 and click Start Admin Console
       
      About co-installing with OS X Server version 5.2
      I know the true purist warn against this; in this case the server is under a relatively light load, so performance does not seem to be an issue.
      Getting OS X Server to co-exist with FM Server proofed tricky though. 
      Initially I had OS X Server app installed before trying the last FileMaker Server 14.0.4b Software Patch which caused the installer to hang again. 
      So I had to command-drag to move the Server App from the Applications folder to the Desktop. After authenticating the Mac detects the removal and presumably stops and repatches all services involved.
      Then the FileMaker Server 14.0.4b Software Patch installed, after which I could put the OS X Server app back, re-login to server, re-enable the services, restart the Mac and finally login to the Filemaker Admin console.
       
      Next time I would leave the OS X Server installation as last step; possibly this will be less work.
       
    • By drrehak
      greetings all!  A question for the network security gurus: I have Supercontainer running in standalone mode.  My router has port forwarding to the machine (Mac-mini).  My credit card vendor requires security IP address scans and I am failing due to the port forwarding on the router.  what is best practice?  I am using a router flashed with Tomato Shibby.