Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

Control what scripts can be invoked using fmp protocol

OlgerDiekstra

By OlgerDiekstra
in Security Concepts

 Share

This topic is 2559 days old. Please don't post here. Open a new topic instead.

Recommended Posts

OlgerDiekstra Proficient

OlgerDiekstra

Posted
Posted

Hi Guys,

As I'm developing an app, making use of the fmp protocol to invoke other databases, I was left wondering.

I use username/passwords to invoke scripts from another database using the fmp protocol, and if no username/password is specified it asks for one. But, if  the user logging in is known and has the correct password, they could invoke any scripts they have access to in the database they're invoking. Note that I don't expect endusers to specify what script to invoke. I do this using scripts, the end user has no idea they're going from one DB to another.

But it left me wondering. If someone created their own little local database, they can effectively invoke any script (as long as the user they're logging in with has access to invoke scripts using urls) that lives in the database if they know the correct name of the script. I know, it's very unlikely they'll be able to guess the names, or that they'll be able to retrieve a list of script names, but having worked in IT for well over 20 years mostly as a Network Engineer with a lot of security focus, I just can't help but wonder if there's a way for me to control what scripts can be invoked using a url.

I know that the OnWindowFirstOpen always gets invoked if used, and that would be the place I would probably test. But afaik I can't retrieve the script stack, therefore can't check what script gets invoked after the OnWindowFirstOpen script.

Is there a way, in the DB being invoked, to retrieve the script specified in the fmp url? If I can retrieve that script name, I can create a list of scripts that are allowed to be invoked by fmp. I realize I have to be careful when renaming those scripts of course.

Steven H. Blackwell Grand Master

Steven H. Blackwell

Posted
Posted

Starting in FileMaker® Pro 16, users cannot call scripts using FMPURL unless and until their Privilege Set is explicitly set to allow them to do so.  Look in the Extended Privileges section.

 

ExtendedPrivilegesOff.png.bf5c62985f72be809f01e2788daf16b0.png

 

Steven H. Blackwell

  • Thanks 1
OlgerDiekstra Proficient

OlgerDiekstra

Posted
  • Author
Posted

Yeah, but that's an all or nuthin' approach. I like a bit more granular control. Out of all my hundreds of scripts, only a handful are used with the fmp protocol. It makes sense to restrict fmurlscript to only those.

But can I? It can't be done through priviliges, at least not as far as I can see.

This topic is 2559 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept