Dropdown Hide Option

Is there a way to specify an option in the options array to be hidden? I would like to be able to configure what's available in the dropdown based on who's logged in by simply hiding a few of the options. I know I could do a script transform to not include those items in the options list based on who's logged in, but just wanted to check before I begin work on that.

I now see that there is an isDisabled property that can be added to each item in the options array. It doesn't "hide" the option, but it still provides the same functionality.

Keep in mind disabling an option or hiding it from the dropdown is only making it harder to set from the frontend. If you don't have any backend validation, a malicious user can still send the wrong value through from the session.

2 Likes

Can you elaborate further?

Basically - it's trivial for a motivated end user to write whatever value they feel like from the session they have running, especially in a web browser. The first step to preventing that is access controls - don't even allow a (potentially) malicious actor to get to the views/controls that can do anything dangerous. A second step is to validate any input coming from the frontend for 'sanity' before doing anything with it. Because Perspective scripts and expressions are evaluated on the backend (the gateway itself), you can trust their output, but you should always be cognizant of where your data is coming from and how much of a problem it would be for you if someone saw something they shouldn't/wrote to something they shouldn't be able to/etc.

2 Likes

I guess I don't really know how somebody would accomplish such a thing from the frontend, and you can't explain further here for obvious reasons. This is a closed, offline system so I'm not too worried about that.

Trivial with the right tools, like GreaseMonkey.

Browsers, and anything that pretends to be one, are fundamentally untrustable.

1 Like