Model-driven apps and form security

By | May 23, 2019

Earlier today, we got a strange request from the user who was wondering what would be the reason he kept getting an error message? Indeed, we knew he should not be getting that error. Although, after looking into it, we found that there was a form the user was working on, it was a regular form, and it did have a script error. We knew that form was broken, but we also knew the user was not supposed to see that form at all since it was not added to the model-driven application.

Fast forward – here is what it turned out to be:

  • There was an entity added to the application
  • That entity had multiple main forms, but only one of the forms was added to the application
  • The user experiencing that error was not given access to the form above through the security roles
  • Turned out the user was able to see all the other forms he had access to

Interestingly, once the user was granted access to the form, it became the only form he could see while working with the application. Problem solved.

But… Was it a bug? Was it a feature? I am not sure – it’s just something to keep in mind.

Actually, it’s easy to reproduce even with a System Admin account.

Here, I can see two forms:

image

Even though my “Simple App” only has one form for that Test entity:

image

And this is all because I did not give myself access to the form (yes, this is one of those cases where System Admins don’t get full permissions by default):

image

And, once I’ve enabled that form for System Customizer & System Administrator, here is what I see in the application:

image

Leave a Reply

Your email address will not be published.