Hello,
My question is pretty straightforward: does hide/show is a good “security tool” for preventing users to access some data?
For example: I have a group element which Show/Hide conditional based on a user Role. Will a user without a proper role still somehow (for example: wireshark) access hidden element?
I’d actually be curious to know this as well!
One way to test would be to set a group to not visible on load, the inspect the HTML to see if the data contained in it is still there.
You should set up some privacy roles as well. These are enforced on the server, while show/hide are on the client, which isn’t safe.
@emmanuel correct me if I’m wrong, but privacy settings are related to Data, not to elements itself.
And If i’m trying to hide some elements (like text ) or event restrict access to some web-page - What’s the best approach?
That’s correct, but as you think about security, you think about what elements display, and this is data. A smart user can inspect the page and show some elements that were hidden initially, and there is nothing you can do about that. But adding security rules will make sure that if they do that they won’t see something they shouldn’t see.
Pardon me, but I don’t get it.
Let make task easier: I have a group with some elements in it (text boxes, images, etc). Elements inside this group is static and filled manually, not with dynamic data from database. And the question is: What’s the most efficient approach to hide such group from a specific user?
Well then it’s a condition on the element, as you were initially suggesting. There is not security issue here.
I just want to be 100%.
So if I have a group which is not visible on a page load:
And a condition for this group set to:
Yes, but you should also enforce the rules in the data tab to make sure that IF some data is displayed in the group, it’s also not visible to non admins.
Thank you for clarification.
