4 Replies Latest reply on May 20, 2016 8:12 AM by comment

    Editing value list does not respect Security

    LaRettaK

      Product and version

      tested in 11, 12, 13 and 15

       

      Description

      If a value list is set to 'allow editing of value list' but the User's privilege set is “View only”, that User should not have the ability to edit.

       

      Discussion here

      http://fmforums.com/topic/99728-control-editing-of-value-lists/?do=findComment&comment=453896

        • 1. Re: Editing value list does not respect Security
          TSGal

          LaRettaK:

           

          Thank you for your post.

           

          The privilege setting "Value Lists: All view only" is only about creating/modifying the definition of value lists.  The Inspector option about editing value list content is not about changing schema definitions, so it is not covered by that privilege.

           

          In FileMaker Pro 15 Help -> Protecting databases -> Creating and editing privilege sets -> Editing value list privileges

           

          "Setting a value list privilege to View only or choosing All view only prohibits opening the Manage Value Lists dialog box in order to create or edit value lists.  However, even if a value list privilege is set to view only, you can make a value list modifiable for users with the appropriate privileges: format the field object with the options that permit adding new value list items or editing existing value list items (or both)."

           

          In the other link, one user wants to display "Edit values" for certain users.  One way to do this is to place the field on the layout twice where one has "Allow editing of value list" checked, and the other field has it unchecked  Then use the "Hide object when" calculation to hide one field depending on AccountName or CurrentPrivilegeSetName, and hide the other field when the opposite condition is true.

           

          TSGal

          FileMaker, Inc.

          • 2. Re: Editing value list does not respect Security
            comment

            With respect, this is not the appropriate response.

             

            For one thing, a custom value list certainly is a part of the schema (otherwise why is it included in a clone?).

             

            For another, the gist of this is that setting a value list privilege to "View only" has absolutely no meaning; as soon as the 'Manage Value Lists' window gets opened by any means (e.g. by clicking on Edit... while in a field, or by opening it explicitly by a script), any user can edit any value list they choose. That's just not right: security should be enforced at data level and users should not be able to override it by navigating.

             

            Apparently the author of the passage quoted from the help is aware of this, so this is arguably not a bug, but an intended behavior. Nevertheless, it is a serious flaw in the security schema and I would like to see FMI treat it as such.

            • 3. Re: Editing value list does not respect Security
              TSGal

              comment:

               

              I recommend entering your comments (no pun intended) to our Product Ideas board at:  Product Ideas

               

              The Product Ideas board is monitored by Product Management and Development.  All postings are read, discussed and considered for possible implementation in a future release.

               

              TSGal

              FileMaker, Inc.

              1 of 2 people found this helpful
              • 4. Re: Editing value list does not respect Security
                comment

                TSGal

                 

                I don't work for FMI. You've had a report of a product issue. I suggest you take it seriously and don't expect me to deliver your internal mail.