3 Replies Latest reply on Sep 28, 2016 8:26 AM by dtcgnet

    Open Remote security issue?

    dtcgnet

      Product and version FMPA, 15.0.1.119; FMS 15.0.1.137

      OS and version OS X El Capitan, 10.11.5

      Browser and version (for WebDirect only)

      Hardware MacBook Pro

      Description There are two settings in the Host Setup section of the Open Remote dialog: 1) Show all available files for this host, and 2) Show only these files. Using FMS 15 as the host, when you first go to Open Remote, you're required to enter credentials. With the FMP host settings set to "Show all available files", you will be shown all files for which the credentials you enter are valid. You will NOT be shown files for which the credentials you enter are not valid. However, with the setting "Show only these files", if the credentials you enter are valid for any file on the server, then you will be shown every database in the "Show only these files" list, even if the credentials you enter will not allow you access to those files.

      How to replicate Set File Settings to "Show all available files for this host", click Save, and select the host. Enter valid credentials for a database (the credentials could be the same for more than one database [as in a multi-file solution]). You'll see only databases for which those credentials are valid. Change the File Settings to "Show only these files" and enter the names of a number of databases. Save. Select the host, and enter credentials valid for a database which you did NOT include in the "Show only these files" list. You will be shown databases for which you do not have access (and you won't see the one which you left out of the list but which was the one that matched the credentials you entered). (By the way, my FileMaker Server is set to "List only the databases each user is authorized to access" in the File Display Filter area.)

      Workaround (if any) None

       

      If I enter File1, File2, File3, File4, File5 in the "Show only these files" list, and I only have access to File1 and I've selected the FMS option to "List only the databases each user is authorized to access", then I should NOT see File2, File3, File4, File5. However, I will see all five files.

       

      If I have a multi-file solution and users should only open FileA (which would then open FileB and FileC as part of the startup script), then the user's credentials would be valid for FileA, FileB, and FileC. I would NOT want to show FileB and FileC in the list of available files, so I'd select "Show only these files" and I'd list only FileA. But if SuperSecretFile1 and SuperSecretFile2 were also in the list, then I'd be able to see those databases listed when I entered my valid credentials for FileA.

        • 1. Re: Open Remote security issue?
          TSGal

          dtcgnet:

           

          Thank you for your post.

           

          I can replicate the issue.  However, in order to do this, the client would need to know the name of a hosted file that she/he doesn't have access to, in order to add it to the list.  For instance, using your example, if the client only has access to File1, the client would somehow need to know the names of File2, File3 or one of the other hosted files.

           

          In your second example, you would not be able to see SuperSecretFile1 nor SuperSecretFile2 unless you know the name of the file, or your credentials allowed access to the files.

           

          Regardless, I have sent your post to our Development and Testing departments for review.  When I receive any feedback, I will let you know.

           

          TSGal

          FileMaker, Inc.

          • 2. Re: Open Remote security issue?
            TSGal

            dtcgnet:

             

            Development has replied this is the intended behavior.  Anything typed in the list of files to show will be displayed, even if the name doesn't match any files.  Again, the limited credentials user would have to know the name of the file(s) to enter.

             

            I recommend you posting a suggestion to the Product Ideas board at:    Product Ideas

             

            The Product Ideas board is monitored by Product Management and Development.  All feature requests are read, discussed and considered for possible implementation in a future release.

             

            TSGal

            FileMaker, Inc.

            • 3. Re: Open Remote security issue?
              dtcgnet

              If it's intended behavior, that's fine with me. I appreciate your looking into it for me!