4 Replies Latest reply on Jan 14, 2014 6:48 AM by TSGal

    Privilege Set - Available Menu: Minimum does not disable View go to layout in fmwebdirect

    DavidThomas_2

      Summary

      Privilege Set - Available Menu: Minimum does not disable View go to layout in fmwebdirect

      Product

      FileMaker Server

      Version

      13.0.1

      Operating system version

      Windows Server 2008 R2 SP1

      Description of the issue

      Users using fmwebdirect are able to select any layout, even though minimum menu option chosen in Edit priv set.

      Go to Layout is not disabled with either minimum or editing only.

      There seam to be bug with disabling hierarchical menus as the Record Goto menu is also not greyed out.

      Behavior is correct in Filemaker Advanced 13 and Filemaker Go 13

      Steps to reproduce the problem

      Set up a priv set with Available menu commands: minimum.

      Hide toolbar script

      Enable fmwebdirect on database extended privileges

      using your favorite web browser (ie Chrome,Firefox etc) goto database.

      Goto View menu go to Layout and choose any layout.

      Expected result

      Should be disabled as per other clients.

      Actual result

      Fatal security hole allowing users to jump to any layout they choose.

      Exact text of any error message(s) that appear

      No error message

      Workaround

      none - beside disable web access to the database

      2014-01-13_115248.png

        • 1. Re: Privilege Set - Available Menu: Minimum does not disable View go to layout in fmwebdirect
          TSGal

               David Thomas:

               Thank you for your post.

               Go to Layout and Go to Record will always be available from the Standard Menu set whether you have security settings set for "All", "Editing only" or "Minimum".  If you have certain Layouts restricted, then those layouts will not show.

               For example, if I create a new Privilege Set "test" that includes "Records: View only in all tables", "Layouts: All view only", "Value lists: All view only", and "Scripts: All executable only", and Available menu commands set to Minimum, I am able to view all layouts, all records, and I can skip between Layouts using "Go to Layout" as well as move to other records with "Go to Record".

               Please let me know exactly what you have set up so I can replicate the issue.

               TSGal
               FileMaker, Inc.

          • 2. Re: Privilege Set - Available Menu: Minimum does not disable View go to layout in fmwebdirect
            philmodjunk

                 What you can do (at least in regular fileMaker and I would expect the same in WebDirect) is:

                 Clear the "include in menu" check boxes for each and every layout you don't want to be accessible in the layout drop down. You can use Manage | Layouts to pull up a list of all layouts where you'll also find this check box and can clear or select it.

                 or

                 Hide and lock the status bar in order to make the whole layout drop down inaccessible

                 or

                 modify your privilege set to make layouts you don't want uses to be able to access inaccessible.

            • 3. Re: Privilege Set - Available Menu: Minimum does not disable View go to layout in fmwebdirect
              DavidThomas_2

                   In reply to TSGal.

                   "Go to Layout and Go to Record will always be available from the Standard Menu set whether you have security settings set for "All", "Editing only" or "Minimum". If you have certain Layouts restricted, then those layouts will not show."

                   I should add the user Privilege level is [Data Entry Only]

                   This is following behavour of FMP13 or FM Go 13 as shown in the enclosed screen shots:

                   Image1: FMP13Adv -  Go to record menu disabled as expected (2 records are in set next prev and go to are greyed out)

                   Image2: FMP13Adv  - Go to layout menu disabled as expected

                   Image3:FM Go 13 - Layout popup and view as are locked to the current layout as expected.

                   For consitency webdirect should mirror the behavour of the existing clients.

                   The Webdirect Go to Record > Go to... does not bring up a dialog box (next and Previous are also greyed out) so it effectivly disabled.

                   The Webdirect Go to Layout> Is not greyed out and list all ticked layout are shown not expected, but View as Form, List , table is disabled as expected. So I expect there is a bug with disabling hierarchical menus in webdirect.

              • 4. Re: Privilege Set - Available Menu: Minimum does not disable View go to layout in fmwebdirect
                TSGal

                     David Thomas:

                     There is still something missing from your description.  When you create an account and set the privilege set to [Date Entry Only], the menu set cannot be changed from [All].  "Go to Layout" and "Go to Record" are fully functional.

                     TSGal
                     FileMaker, Inc.