Show/Hide componentes on the go, safest way?

Show/Hide componentes on the go, safest way?

  

Hi,


Some days ago, I got to read around here that relying on Visible and Enabled properties is not 100% sure as some advanced users may make their way to these hidden componentes through their browser's inspector tools.


Requeriments: Safety is my first priority.


Target: Get 3 ShowRecord components that are enabled but hidden by default and will be shown once certain button ( one button for each ShowRecord component) is pressed.


Possible fix: Through the same posts, someone suggested using IFs conditions together with containers so that it will end up like this:


- If component with a "Hidden" boolean which is set to true by default. The "true" value of the container has nothing while the "false" container has the ShowRecord I'm willing to show. Am I right? Is this safe? Can this get "broken" through inspector tools?


Keep in mind that safety is my first priority so anything you're about to suggest, make sure is inspector tools safe.


PS: I do know that a proper web site should have safety checks on both client and server site, please, ignore client/server checks and keep focused on the main topic of the post.


Cheers.

Solution

Hi,

The IF widget to safely hide components is the best solution because the condition is evaluated server-side and the information in the branch not show is not rendered on the browser, therefore, impossible to access using inspector tools.

On the other hand, using the Display (sets display:none) and Enabled (disables input if false) properties, like you said, an experienced user can through the browser's inspector change these properties and access the information you don't want available.

Cheers,

João

Solution

Hi Jordi,

If you keep your components inside If, only part which is True will be rendered and advance users cannot go through the container of part which is not being shown on page through inspector. So according to me this is safe.

Thank you so much for your quick answers!


Jordi Gisbert Ponsoda wrote:

Hi,


Some days ago, I got to read around here that relying on Visible and Enabled properties is not 100% sure as some advanced users may make their way to these hidden componentes through their browser's inspector tools.

Hi Jordi,

Visible and Enabled properties are 100% sure if you know what they do :-)

There is an excellent article on this matter by Justin James (a fellow MVP).

Take a look at it and please tell us if it helped you understand those properties.


https://medium.com/@jmjames/visible-and-display-do-different-things-212457546561


Cheers,

João Heleno

Hi Jordi,


The disadvantage of the IF widget to hide the components, in my opinion, is that it make a server request mandatory when that condition changes instead of changing it via javascript. 

But you can do it via ajax refresh which should be a better experience for the user.


Abílio Matos

Abilio Matos wrote:

Hi Jordi,


The disadvantage of the IF widget to hide the components, in my opinion, is that it make a server request mandatory when that condition changes instead of changing it via javascript. 

But you can do it via ajax refresh which should be a better experience for the user.


Abílio Matos

If, like Jordi says, "security is first priority" the IF is the safest option.

It will guarantee that what shouldn't appear in the screen won't even be rendered in the client side. So nothing to be tampered with...

Also, an ajax refresh always makes a server request.


João Heleno wrote:

Jordi Gisbert Ponsoda wrote:

Hi,


Some days ago, I got to read around here that relying on Visible and Enabled properties is not 100% sure as some advanced users may make their way to these hidden componentes through their browser's inspector tools.

Hi Jordi,

Visible and Enabled properties are 100% sure if you know what they do :-)

There is an excellent article on this matter by Justin James (a fellow MVP).

Take a look at it and please tell us if it helped you understand those properties.


https://medium.com/@jmjames/visible-and-display-do-different-things-212457546561


Cheers,

João Heleno


Hi João,

I'm glad you linked me with such great information, every single new concept I get to know is welcome to thank you for the provided link!


As for my case, they won't do the trick for what I need.


Cheers,

Jordi.

João Heleno wrote:

Abilio Matos wrote:

Hi Jordi,


The disadvantage of the IF widget to hide the components, in my opinion, is that it make a server request mandatory when that condition changes instead of changing it via javascript. 

But you can do it via ajax refresh which should be a better experience for the user.


Abílio Matos

If, like Jordi says, "security is first priority" the IF is the safest option.

It will guarantee that what shouldn't appear in the screen won't even be rendered in the client side. So nothing to be tampered with...

Also, an ajax refresh always makes a server request.



Just to know what's happening on the server side, what's being reloaded or requested on that server request?