If a file is opened without full access, the data viewer if active will ask for credentials in order to display any data. While the display is obscured for the user without developer rights, any calculations stored in the "watch" panel of the dataviewer are still executed. It is therefore easy to set the content of any variable the user knows the name of by simply creating a new database and adding an expression like
Let( $$supervisor = 1; 1 )
to the dataviewer. A script in a protected field that looks into the value of this variable will now always find it to have the value 1. As it is easy to read out the scripts of any protected file this constitutes an easy way for users to get around any controls based on the value of variables.
Even worse, the dataviewer will execute code like
Let ( [
table = getvalue( TableNames ( Get ( FileName ) ) ; $count );
val = ExecuteSQL ( "Select * from " & table ; ""; "" );
path = MBS ( "Path.Filemakerpathtonativepath" ; Get ( DesktopPath ) & "test.txt" ) ;
tmp = MBS( "Text.AppendTextFile"; val ; path ) ] ;
in a protected file. An export of the complete contents of a file for which you have no export rights is no problem this way.
So I propose to completely block the dataviewer from executing any calculations if the user doesn't have the access level required to use that tool.