Jump to content

Just found a nasty security flaw


hbrendel

This topic is 3683 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Since the beginning I'm hiding the status area in all of my solutions. All the functionality that is needed is built in the interface.

 

I just found out that on Mac one can simply right-click the title bar and choose 'Customize Toolbar...' And voilà: the status bar appears... and it's going to stay.

 

I don't know if it's been like that in earlier versions. I suspect that it is. Probably it's an OS thing, so I doubt that FMI can fix this.

 

Now I need to revise all my solutions to add the script step 'Hide Toolbars' to all relevant scripts. I also have to empty the layout menu.

 

Don't know how it is on Windows...

 

post-66194-0-05086800-1393341584_thumb.p

  • Like 1
Link to comment
Share on other sites

I submitted a bug report to FileMaker - i haven't tested yet but what permission level access does the users have also you may try to deployed custom menus - these in the short term may lessen the unintended impact.

Link to comment
Share on other sites

This is why the standard best practice is to handle security using FileMaker's security features, with user interface controls only playing a supporting role. Short of best practices, custom menus mitigate the amount of damage users can do with this. (After all, if you weren't using custom menus already, showing the toolbar doesn't really expand what users can do, only the discoverability of what they can do.)

  • Like 1
Link to comment
Share on other sites

The toolbars may be exposed but they can be rendered essentially inert via the settings in the Privilege Set.  This is one of the reasons that the default setting for a new Privilege Set is "Minimum" menu availability.

 

The UI is not part of the security schema.

 

Perhaps I can say more at a later time.  Headed out the door to a conference now.

 

Steven

Link to comment
Share on other sites

I admit it's not a security flaw. Now I have emptied the layout dropdown in all my solutions, and the rest was already disabled by clever custom menus.

 

But it is a pain in the xxx. At the bottom 25 pts of the layout area disappears. Essential buttons could be placed there. The window could have the zooming option disabled. Hours of meticulous designing are wasted.

 

Maybe I'm exaggerating, but I consider this a seriuous bug.

  • Like 1
Link to comment
Share on other sites

I understand your frustration and aggravation.  However, the UI is not part of the security schema.

 

Just because there is no Print menu item does not mean I cannot print a record.

 

Just because there is no New Record menu item does not mean I cannot create a new record.

 

Just because there is no Delete Record menu item does not mean I cannot delete a record.

 

All these elements and many others as well are controlled by the privilege bit settings in the Privilege Set.  Some apply only to the file in which they are defined, e.g. Print.  Others apply across files in a solution, e.g. edit records.

 

Steven

Link to comment
Share on other sites

This topic is 3683 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.