I have two solutions running on the same server. Users can have different rights in each solution, and I have created groups to cover all the combinations.
The user ‘guest’ is in the read-only group in both solutions (2 groups, read-only A and read-only B). I have carefully gone through and blocked forms and form elements this group is not allowed to see, and restricted access to the tables. This used to work, but today I have realised that when logging in as ‘guest’ the user now has full access rights to the solution, and can see and edit all the data. Servoy appears to be ignoring the security settings.
This is a major security problem, as the server is public access - can anyone suggest what might have gone wrong?
I have been using 2.2, upgraded to 2.2.1 today but still have the same problem.
User ‘guest’ is definitely NOT a member of the Administrators group. Just to make sure I added them to the group then removed them again, but still the same problem…
Any other ideas? I’m very anxious to resolve this ASAP before our data is compromised.
You’re testing on the machine you developed it on (or pointing to the same repository) - right? IF NOT - then you need to re-export your solution with the users and permissions - and then when you import - you need to allow it to overwrite the those privileges.
If not #1 - then open up security - click on the “group” and then click on “tables” and just verify that your settings are there. NOTE: You also have to click the “Update” button below after EVERY CHANGE - or they will not “take.”
I’m developing on my own computer and then uploading to the server to run, so different repositories. However, new versions are uploaded allowing the security permissions to be overwritten, so they are uniform. I have checked the settings on the server and both groups ‘user’ is in disallows any access to several tables and forms, yet they are still visible and fully accessible when you log in as ‘user’.
I have just tried removing ‘user’ from one of the groups, so it is now in only one group: the security settings now behave as expected, and appropriate forms are blocked. If I add it to the second group again, the problem reappears.
From this it seems that the problem is related to being in more than one group. Is this a bug?
Servoy tries to use the permssions with the highest privileges when a user is in multiple groups.
Yes, that is what I was expecting. I have successfully used it that way before.
But in this instance, a user is in only two groups, both of which explicitly deny access to a particular table and related form, yet the user is given full access. I would have thought that the highest privilege in this case was no access.