Option 1 – Set pbVisible to false for those that are not meant to see it. This hides the button, but it is still present. This is problematic because any client with developer tools can expose it and click it.
Option 2 – Set pbRender to false is an option, but it does not fully work.
Option 3 – when onclick is triggered, the user’s rights are checked to confirm that they are allowed to use the button.
- Best method

Another consideration in web applications are web properties. Client-side web properties have a weakness because a user can change values in web browsers and send them back to the server. In other words, users can manipulate the web properties. To avoid that from happening, a better choice is to use server-side web properties. Server-side web properties are not sent to the client, but they are saved with the session. With every call to the server the properties are retrieved and available. Using server-side web properties makes applications much more secure.

There is one method to check if a user has access to a view called AllowedAccess. AllowedAccess is called before the view is loaded and is triggered when the URL features are used. OnChangeRights is used with the menu and is automatically triggered by the session manager when a user logs in or out.

Security the Basics

DataFlex courses

Information

Security the Basics

Lesson 13: Access Control