Security concerns

Hi (again),

Views allow to use hideIf/readonlyIf with JS expression. Is there any server side enforcement of such constraints (hidden panels’ fields shouldn’t be allowed to be submitted, readonly ones too)?


hideIf/readonlyIf are client side expressions, allow to show/hide components depending on the records. Moreover we can hide a panel by default and later with an action, display it: so fields needs to be submitted.

You can add if attribute on the component : <panel-related field="o2mField" if="some_expression"/> only use this widget if the given expression is true. Or use field permissions.

1 « J'aime »

Hi @beuss,

Whare are your fonctional requirement ?
You would like to deny access to some fields for some roles ?

You are talking about UI but using the REST API I think that anyone (with good knowledge) can override any UI restriction/hide.
From my point of view, if you need to deny access to some fields the only way to achieve this is to create a role with granular grant field by field.

Maybe if a “deny” permissions existed you can just add it to some forbidden fields, but unfortunately it’s not the case.