Security in cloned forms

Classic Servoy
1

Hi All!

I came across an interesting security issue that I am hoping Servoyans could help me figure out, like they always do :)

As soon as I started developing custom security for our multiwindow application I found that it’s not going to just work automagically.
The way our multiple windows work is by cloning the design form with all tabs and forms in it and showing the cloned forms.
The design-time forms are almost never shown.

So, in my security module I created a similar screen to one in the Servoy Security Provider Example that has the list of forms and their elements for me to set the ‘visible’ and ‘accessible’ flags on and off (for User Interface level security).
A very nice solution really.
However, after I set permissions on an element of a form (design-time form clearly) and cloned that form, permissions are not cloned with the element.

So my first question would be whether permissions on a cloned form’s elements are to be expected to transfer from the original form to the clone?

And if they are not, then some ideas on how to work around this problem would be highly appreciated. If there was a way to get ALL security settings or security settings for a form or element, then I could apply them to my clones as I spawn them. But I cannot seem to be able to find those… (except querying my permissions table in the database)

Am I missing something very simple here?

Cheers,
Maria

2

Ok.
So far I manage the UI-level security of cloned forms by duplicating permissions records of design-time forms and replacing ‘form_name’ and ‘element_uuid’ with relevant cloned form’s data.
Some processing is in place to figure out the cloned elements’ uuids, so I can apply security with security.setSecuritySettings() but that’s all right, works fine at this point :D

Cheers,
Maria

3

While we’re on it, I have another security question.

In Servoy Security Example there are two levels of permissions that the user can set up: UI and data.
I don’t exactly understand how the data level works.
I would imagine that if I set the default application-wide restriction on a table to only have the ‘read’ flag on, then the users won’t be allowed to delete, insert, update records from that table despite the ‘delete’ button is available.
But it doesn’t happen in the sample solution.
Perhaps I’m missing how data-level security is supposed to be used?

Cheers,
Maria

4

security is not cloned i think, you can create a case for this

data security should work as if you only can read for a specific group (and the user is only in that group) then it should be only allowed to read it.
I just tested this and it works for me

5

jcompagner:
security is not cloned i think, you can create a case for this

data security should work as if you only can read for a specific group (and the user is only in that group) then it should be only allowed to read it.
I just tested this and it works for me

Thanks, Johan! I’ll create a request for cloned permissions.

As for data security, may I show you how I set it up in servoy example solution so you could, please, point it out to me where I’m wrong?

Here is a screenshot of my security provider screens. What I aimed to do is have one application-wide restriction - no permissions on ‘users’ table, so no one can do anything with it, not even read.
Then I have two security keys, one to allow read, the other to allow read and update.
Two security groups: one is for read-only access, the other for read/update.
And my tenant ‘demo’ with three users: admin, medium and read.

[attachment=1]1.JPG[/attachment]

Below are screenshots of what group my users belong to: ‘admin’ can read and update, ‘read’ can read, ‘medium’ does not belong to any group, so application-wide permission is supposed to prevent him from reading the users data.

[attachment=0]5.JPG[/attachment]

However, when I log in as ‘medium’ I can do whatever I like with the users, read, update, delete, etc.
Is there anything wrong with my setup?

Appreciate your help a lot!

Cheers,
Maria

5.JPG
5.JPG1316×968 66.9 KB

1.JPG
1.JPG1276×921 89.7 KB

6

i don’t know these screens, i was just testing the basic servoy security
i had one user that belonged to 1 group and for that group i did say you can only read table X nothing more, then after i logged in as that user i couldn’t delete or update.

7

jcompagner:
i don’t know these screens, i was just testing the basic servoy security
i had one user that belonged to 1 group and for that group i did say you can only read table X nothing more, then after i logged in as that user i couldn’t delete or update.

Oh… Basic security works, Johan.
Unfortunately, we cannot just go with Servoy basic security, it needs to be customizable by the client from inside the solution, they need to be able to create permissions in the security module that I am developing now.
So I am using Servoy Security Example solution as an example.

I found my mistake: when setting permissions on a table I did not use the server name because I somehow assumed that if there’s only one server then it’s going to be picked up by default.
Put the server name in - works like a charm.
B-e-a-u-tiful! :D

Cheers,
Maria

8

Just to be sure: am I correct to say that security.setSecuritySettings(database) will only take effect before a form is loaded?
In my solution, I want to be able to change security settings depending on some logic (record values). Say, adding items to main record is only allowed if the main record’s property is true.

Or am I going to have to handle it via elements.myElement.enabled and elements.myElement.visible?

Cheers,
Maria

9

yes we apply security at creation time of the form, you can’t change it on the fly

10

jcompagner:
yes we apply security at creation time of the form, you can’t change it on the fly

Oh well, thanks Johan.
This is not planned to be changed any time soon or at all? (I can’t abandon hope easily :D )

Cheers,
Maria

11

Hi, Johan, Everyone.

Another problem with applying security through Servoy Security Engine and the problem is with forms that inherit their UI elements from other forms.

Let’s say I have childForm1, childForm2, childForm3 that inherit from parentForm and parentForm has button1, button2, button3 while child forms don’t have elements of their own.
My goal is to make button1 invisible on childForm2 but leave it alone on childForm1 and childForm3.
The visibility is set with the Servoy command security.setSecuritySettings(dataset);
where dataset is a set of rows with the first column being the UUID of an element (UUID of button2 in my example) and the visibility/accessibility flag: (settings[uuid].isVisible * JSSecurity.VIEWABLE)|(settings[uuid].isAccessible * JSSecurity.ACCESSIBLE).

This works fine with normal forms that have their own elements.

However, there seems to be no way to get the UUIDs of the elements on child forms to set button1’s visibility on childForm2 but not the other children.
I get the uuids with security.getElementUUIDs(formname) and if I put “childForm2” as the form name then the command only returns the uuid of the form itself.

Making button1 invisible on parentForm clearly hides it on all child forms.

Please help me out here.

Kind Regards,
Maria