LJ has elaborated on security by obscurity enough I think. Presumably users have a standard way of navigating the application that will get them to the desired view.
The question is how they by mistake would get to the wrong view? If they cheat and manage to get there bypassing the intended navigation, they can do no damage if your underlying permission model holds. /Misi LJ LongWing <[email protected]> skrev: (17 november 2017 17:47:12 CET) >as long as your permission model is secure then letting them into that >view >won't give them access to something they shouldn't have access >to....then >it shouldn't be an issue for them to be there....but, the method >outlined >before will prevent it nonetheless if that's your wish :) > >On Fri, Nov 17, 2017 at 9:17 AM, Thomas Miskiewicz <[email protected]> >wrote: > >> ** >> Well they don’t bave access to the things they shouldn’t have to but >I >> don’t want them to event get to those thing they don’t have access >to... >> >> On Fri 17. Nov 2017 at 17:15, LJ LongWing <[email protected]> >wrote: >> >>> ** >>> No, it's more of a factor of 'what is in the admin view what they >>> shouldn't have access to'...and should you change permissions to >those >>> elements so that even if they make it into the Admin view, that they >don't >>> have access to the things they shouldn't have access to :) >>> >>> On Fri, Nov 17, 2017 at 8:57 AM, Thomas Miskiewicz ><[email protected]> >>> wrote: >>> >>>> ** >>>> You mean separating the admin and user views into two different >forms? >>>> >>>> On Fri 17. Nov 2017 at 16:55, LJ LongWing <[email protected]> >wrote: >>>> >>>>> ** >>>>> Thomas, >>>>> This is my favorite topic of 'security through obscurity'.....if >the >>>>> method that things are secured is by simply not 'showing them' to >the >>>>> user...or, putting them behind a curtain....then it's not truly >security. >>>>> I believe what Misi is saying is that by creating an AL that >prevents the >>>>> user from getting to this particular view, you are trying to >secure it by >>>>> putting it behind a curtain.....if there are elements on the view >that you >>>>> don't want the users to have access to, then they shouldn't have >>>>> permissions to them....this would prevent them from wreaking any >havoc >>>>> because even if they had access to the view, they wouldn't be able >to do >>>>> anything they didn't have permission to do anyway... >>>>> >>>>> On Fri, Nov 17, 2017 at 8:47 AM, Thomas Miskiewicz ><[email protected]> >>>>> wrote: >>>>> >>>>>> ** >>>>> >>>>> Oh yea? Please elaborate. >>>>>> >>>>>> On Fri 17. Nov 2017 at 16:46, Misi Mladoniczky <[email protected]> >wrote: >>>>>> >>>>>>> If you have to rely on GUI functionality to do this, one could >argue >>>>>>> that your permission strategy is faulty to start with... >>>>>>> /Misi >>>>>>> >>>>>>> Thomas Miskiewicz <[email protected]> skrev: (17 november 2017 >>>>>>> 14:42:20 CET) >>>>>>>> >>>>>>>> ** Hello there, >>>>>>> >>>>>>> >>>>>>>> I have *Form A* with *User View* and *Admin View*. How can I >>>>>>>> prevent unauthorised access to the Admin View? >>>>>>>> >>>>>>>> If there is no configurable state of the art way maybe you have >an >>>>>>>> elegant idea how to achieve it? >>>>>>>> >>>>>>>> >>>>>>>> Thank you >>>>>>>> >>>>>>>> Thomas >>>>>>>> >>>>>>> _ARSlist: "Where the Answers Are" and have been for 20 years_ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> sent from my Android-unit with K-9 Mail. >>>>>>> >>>>>> _ARSlist: "Where the Answers Are" and have been for 20 years_ >>>>>> >>>>> _ARSlist: "Where the Answers Are" and have been for 20 years_ >>>>> >>>> _ARSlist: "Where the Answers Are" and have been for 20 years_ >>>> >>> >>> _ARSlist: "Where the Answers Are" and have been for 20 years_ >> >> _ARSlist: "Where the Answers Are" and have been for 20 years_ >> > >_______________________________________________________________________________ >UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >"Where the Answers Are, and have been for 20 years" -- sent from my Android-unit with K-9 Mail. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
