3 Replies Latest reply on Jun 8, 2016 3:49 PM by Extensitech

    Globals and edit access

    kiwikaty

      I "think" I have discovered that edit access permissions do not seem to apply to global fields?

       

      e.g I was setting who the user was at login in a global and you could only edit records in this single record table when the field "allowEdit" = 1 (this is what I set the edit limitation to for the web priv set to under security) , the login script would run a subscript to set this allowEdit field to 1, set the userid field into the global to get(accountname) and then set allowEdit back to 0.

       

      I assumed then that the person could not change the username global to someone else's userid as it would not allow them edit access to this field. However testing revealed that if I made the userid a text field they could not edit it as expected but for as long as it was a global field they could edit it to their hearts content! I always assumed edit access would cover ALL fields in the table? I cannot make userid a text field as there are multiple users coming into the solution at once. I was going to use the userid that had been set in the single record table field to control edit access to fields in another table but this is not safe if the userid global remains editable.

       

      I have changed things to use get(accountname) rather than the userid field but was a bit shocked I did not know this about edit security and global fields?

       

      I think it would be good to add this information to the help file where it explains about global fields if they are still editable when the priv set limitations are returning a false value for the record? Maybe it is already there? Maybe I should have known this already.

       

      Many thanks

      Kiwikaty

        • 1. Re: Globals and edit access
          keywords

          Have you tried simply not giving users access to the global field(s) in question? If the purpose of the field is functional why do they need to even know that the field exists?

          • 2. Re: Globals and edit access
            kiwikaty

            Hi, do you mean on any layouts etc?

             

            I do not have it on user layouts but all our work goes through security testing so not having a field on a layout does not mean they cannot alter it – but I do not think this is what you are suggesting anyway…

             

            do you mean change that field access for that field userid to “View Only” (for that priv set) and that would be ok as the script that is running to set the global is set to use full access rights anyway so it does not need the user to have modifiable access?

             

            In which case I have not tried that and will test and see if that would solve the issue instead!

             

            Thank you for taking the time to reply ☺

            • 3. Re: Globals and edit access
              Extensitech

              Can't reproduce this. I know that in the past I've removed access, at the table level in security settings, from global fields (usually because I forgot that I really did want the limited user to be able to change the global field). I just double-checked in FM15, and if I create a priv set that can't edit the table with the global in it, or if I grant access but specifically mark the global field as view only using the "field access" option, then I can't edit the global field under that priv set, with the field on the layout and open in browse.

               

              What specifically are you seeing that makes you think A) the global field is not accessible under the privilege set and B) they can edit it anyway?

               

              Not sure this is relevant to your issue, but I did discover some time ago that record privileges are evaluated when a record is opened, and don't get reevaluated as each edit is made. Is it possible that your user opened the record when allow edit equaled 1, then unset it and reset it without committing? That would be allowed...

               

              HTH

              Chris Cain

              Extensitech