Skip to Content

What should be the best approach to hide a button or any ui control in sapui5?

Feb 20 at 09:35 AM


avatar image

Hi Friends,

I want to hide a button on my view based on some back-end condition or role, currently I can hide the button by binding a model property and setting the respective value. But user can able to revert the visibility property by using the F12(Developer mode) in chrome. So what is the best way to handle this kind of issues.


Suman Kumar

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Bruno Lucattelli
Feb 20 at 11:20 AM

What does this button do? Why you want to keep it hidden from the user?

These might seem silly questions, but in fact are important ones. If you have an action (lets say a DELETE action on the model) that this button triggers, then hiding it will not save the problem AT ALL. If someone is smart enough to go through F12 and make this button appears, they might as well simply execute the DELETE HTTP method via Postman or even by Google Dev Tools console.

Hiding a button in a web application is like having a hidden button that opens the save without the key: its just Security through obscurity, which by itself is an antipattern.

You should implement the security check back in your model, not in your view.


Show 2 Share
10 |10000 characters needed characters left characters exceeded

Thanks for the reply Bruno Lucattelli .

You mean developers (read back-end) must take care of the business functionality of the button in this case , if the button is hidden from the user then back end developer must put the same condition to avoid the conflict. Am I right?



Yes, you got it!

Emanuele Ricci Feb 20 at 02:12 PM

Hi Suman, like everything in web you have two different side:

  • Frontend side
  • Backend side

and I think that for safety you should always double check them (even if you think it's redundant).

So my suggestion is:

  • hide/disable the button on your UI
  • prevent user to commit CRUD operations if he's not allowed from JS
  • prevent user to commit CRUD ops directly on the backend (checking if he has the correct role)


Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yes I got it thanks