Expression-derived forms and rights

When I derive a form from an expression, e.g. Derive('MyView adorn tags { Frontend.Grid.RowCount = "6" }', 'Browse'), the Frontend seems to ignore the rights set on MyView; i.e. all users can see all the Add, Edit, Delete and View buttons regardless of their rights on the view. Is this working as intended?

Security and the Frontend

Hi Jon,

If the user does not have right to manipulate the View (directly), then by default they should not be able to see the appropriate button(s). There is a table level tag to control the visiblity of the buttons in the presence of security:

Frontend.Secure = "visible | disabled | hidden"

The default is hidden.

--
Nathan Allan [Alphora]

View-level rights

Yes, this is working as designed. Security rights are intentionally not inferred in order to allow views to function as a security mechanism.

Regards,
Bryn Rhodes
Database Consulting Group LLC

Re: View-level rights

I'm not sure what you mean. It doesn't seem to affect security, only UI. For instance, if a user does not have the Update right on MyView, the Edit button will be visible and enabled, but raise a security error. So in that sense, the rights are inferred, they're just not used by the frontend. Not inferring rights would mean either that the user has no rights on the expression, or all rights (bad idea), no? This mechanism seems a little half-assed, but it's no big deal---I can just avoid deriving forms from expressions more complicated than just a view if it has security restrictions.

Rights on Expressions

By not inferred, I mean that the rights applicable at the expression level are not known. The security is still enforced, but that is because the update is propagating back through the expression and security is enforced when that attempt is made. In other words, the security error is happening when the update propagates to the view, not when the update is initially issued against the expression. The security support (disabling and hiding of commands) in the Frontend works only if the derivation engine can determine that the expression is only a catalog identifier.

Regards,
Bryn Rhodes
Database Consulting Group LLC