Gustav Brock
gustav at cactus.dk
Tue Nov 11 03:09:09 CST 2003
Hi John
I think Ken has a point here and that you maybe are overcomplicating
the task.
I mean - forms don't just open, and users don't unhide hidden forms;
how should they be able to do that when the developer has designed
menus and toolbars for his/her app?
Also, applying any form of security, light weight or not, the
developer will have to walk through the app from a to z and arrange
for modification of menus, buttons, labels ("Double click her to view
details") etc. If a button is labelled "Show details" on a form and it
should be disabled for certain users, he/she would need to either make
the button not visible or not enabled or pop up a message telling that
the user has been revoked rights to view the details; this I guess
would be beyond the goal of your LWS tool. Leaving the button as it is
and the user presses it and the details form just opens hidden is bad
UI design as the user has no chance for knowing what is going on other
than "it doesn't work".
/gustav
> Ken,
> I am writing a security utility aimed at other developers. It is designed
> to allow YOU (and me as a developer) to manage the presentation security of
> a database front end. IOW, what forms can a user / group open? View? Add
> records to? Delete records in? Edit records in? Etc.
> As you can see, I am not necessarily "in control of" the target FE at design
> time since the FE is YOURS. Why would you want to open a form not visible?
> Perhaps the form is a filter form that you use to feed values to a query.
> Perhaps the form has a timer ticking that performs some process. Perhaps...
> uh... I have no damned idea what else you might decide to do with a form
> that is open but that a selected group or groups of users are not allowed to
> see. I know that I personally use a hidden form to force a cleanup of my
> framework when the database closes. Since a form cannot close without it's
> OnClose firing, I use that to run a Terminate() function that closes
> everything gracefully. So not matter how the db closes, my term() function
> runs.
> I cannot allow the users to unhide that since it is a background processing
> form and they have no business there.
> In the end though, the answer is I don't know why any given developer is
> going to want to open a form that users can't see, I simply know that it
> happens and I need to provide the developer with a means of enforcing this
> security.
---
> 1. It escapes me why you would even want to manage an open, invisible form.
> If the user can't view it, then by far the simplist thing to do is not open
> it. Is there some other issue driving this need that you haven't elaborated
> on?