cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What should be the best approach to hide a button or any ui control in sapui5?

Go to solution
suman_kumar16
Participant

on ‎02-20-2018 9:35 AM

0 Kudos

Hi Friends,

I want to hide a button on my view based on some back-end condition or role, currently I can hide the button by binding a model property and setting the respective value. But user can able to revert the visibility property by using the F12(Developer mode) in chrome. So what is the best way to handle this kind of issues.

Thanks

Suman Kumar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member186734
Active Participant
‎02-20-2018 11:20 AM

What does this button do? Why you want to keep it hidden from the user?

These might seem silly questions, but in fact are important ones. If you have an action (lets say a DELETE action on the model) that this button triggers, then hiding it will not save the problem AT ALL. If someone is smart enough to go through F12 and make this button appears, they might as well simply execute the DELETE HTTP method via Postman or even by Google Dev Tools console.

Hiding a button in a web application is like having a hidden button that opens the save without the key: its just Security through obscurity, which by itself is an antipattern.

You should implement the security check back in your model, not in your view.

Bruno

Show replies
Show replies
suman_kumar16
Participant
‎02-20-2018 2:11 PM
0 Kudos

Thanks for the reply bruno.lucattelli .

You mean developers (read back-end) must take care of the business functionality of the button in this case , if the button is hidden from the user then back end developer must put the same condition to avoid the conflict. Am I right?

Thanks

former_member186734
Active Participant
‎02-20-2018 2:21 PM

Yes, you got it!

Answers (1)

Answers (1)

ericci
Active Contributor
‎02-20-2018 2:12 PM

Hi Suman, like everything in web you have two different side:

  • Frontend side
  • Backend side

and I think that for safety you should always double check them (even if you think it's redundant).

So my suggestion is:

  • hide/disable the button on your UI
  • prevent user to commit CRUD operations if he's not allowed from JS
  • prevent user to commit CRUD ops directly on the backend (checking if he has the correct role)

Ema.

Show replies
Show replies
suman_kumar16
Participant
‎02-20-2018 2:34 PM
0 Kudos

Yes I got it thanks

Ask a Question