I "think" I have discovered that edit access permissions do not seem to apply to global fields?
e.g I was setting who the user was at login in a global and you could only edit records in this single record table when the field "allowEdit" = 1 (this is what I set the edit limitation to for the web priv set to under security) , the login script would run a subscript to set this allowEdit field to 1, set the userid field into the global to get(accountname) and then set allowEdit back to 0.
I assumed then that the person could not change the username global to someone else's userid as it would not allow them edit access to this field. However testing revealed that if I made the userid a text field they could not edit it as expected but for as long as it was a global field they could edit it to their hearts content! I always assumed edit access would cover ALL fields in the table? I cannot make userid a text field as there are multiple users coming into the solution at once. I was going to use the userid that had been set in the single record table field to control edit access to fields in another table but this is not safe if the userid global remains editable.
I have changed things to use get(accountname) rather than the userid field but was a bit shocked I did not know this about edit security and global fields?
I think it would be good to add this information to the help file where it explains about global fields if they are still editable when the priv set limitations are returning a false value for the record? Maybe it is already there? Maybe I should have known this already.