NBusch

DataViewer allows access to blocked content

Discussion created by NBusch on Feb 19, 2018
Latest reply on May 15, 2018 by TSGal

If a file is opened without full access, the data viewer if active will ask for credentials in order to display any data. While the display is obscured for the user without developer rights, any calculations stored in the "watch" panel of the dataviewer are still executed. It is therefore easy to set the content of any variable the user knows the name of by simply creating a new database and adding an expression like

 

Let( $$supervisor = 1; 1 )

 

to the dataviewer. A script in a protected field that looks into the value of this variable will now always find it to have the value 1. As it is easy to read out the scripts of any protected file this constitutes an easy way for users to get around any controls based on the value of variables.

Even worse, the dataviewer will execute code like

 

Let ( [

table = getvalue( TableNames ( Get ( FileName )  ) ; $count );

val = ExecuteSQL ( "Select * from " & table ; ""; "" );
path = MBS ( "Path.Filemakerpathtonativepath" ; Get ( DesktopPath ) & "test.txt" ) ;

tmp = MBS( "Text.AppendTextFile"; val ; path )  ] ;
""

)

 

in a protected file. An export of the complete contents of a file for which you have no export rights is no problem this way.

 

So I propose to completely block the dataviewer from executing any calculations if the user doesn't have the access level required to use that tool.

Outcomes