Tagged: dffs security permissions
August 11, 2018 at 13:34 #21784
First, I wanted to say great job with DFFS. Talk about one heck of a powerful tool.
DFFS saves all of its settings/configurations in a list. In order for any user to be able to use a list that is configured with DFFS, they must have, at minimum, read access to the list items in the DFFS list that contains the settings/configurations for it.
- You cannot remove read permission from the DFFS list because the user needs it for DFFS to be able to read it.
- You can “hide” the list view web part using targeted audience settings but this is a rather weak control as any user with programming knowledge can use REST/SOAP to retrieve the data from the site/list.
- You can hide the entire list from the browser but you can still pull data from it using SOAP/REST.
Any other ideas/thoughts?
How can we secure the DFFS list so users cannot read data from it while still using lists that are configured with DFFS.
August 11, 2018 at 15:20 #21786
Thanks for the beer!
If you restrict the regular users so they only have read access to the configuration list, I believe you should be OK because the contents of the configuration doesn’t contain any list data from the forms filled in with DFFS – it’s only the field names and configuration for tabs, rules and Custom JS etc. used to build the form and nothing that can reveal the actual contents of the list items in the DFFS enabled lists.
Let me know if you have any further questions.
August 11, 2018 at 18:52 #21794
The issue is that there is a requirement to hide the configuration/settings from the user. I know there is nothing dangerous/risky but that is the requirement we have.
August 11, 2018 at 19:47 #21796
I cannot really see why this requirement would apply to DFFS as no compromising data is served from the configuration list. It would be another matter if the actual form contents was saved in this “blob” and was accessible in the list.
Just to clarify in case your super needs it: In case you for example set item level security on a list item in your DFFS enabled list, there is no way to get access to the form contents trough the configuration list.
August 11, 2018 at 20:18 #21798
I thought I’d check with you to get your perspective on this. I appreciate your help sir.
March 6, 2019 at 19:13 #24161Jon WhismanParticipant
Not sure if this would help, but would using an obfuscator on your JS code help the matter to scramble the code a bit more and secure it further?
March 7, 2019 at 04:17 #24180
Unfortunately no. Obfuscation is not, unfortunately, enough of a control to meet the requirement. :/
March 7, 2019 at 19:37 #24198
Because all users must have read access here, the best I can think of is to hide the configuration list (hidden from all site content) by using the controls in the Misc tab in the DFFS backend configuration.
This will however not prevent anyone who knows the name of the list form typing in the address, so you would also need to edit the AllItems.aspx list view to remove all items – for example by setting a filter like “ID is equal to 0”.
This way only uses who use custom code to query the list will be able to see its contents.
March 8, 2019 at 02:46 #24210
Thanks Alexander! We’re also looking at other ways to accomplish this. I’ll report back my findings if we have anything worth reporting.
- You must be logged in to reply to this topic.