While we do not have MFA, my client required that certain views asked for additional validation. This was in the form of a accesscode that was placed in the userattributes object. When a user accesses the particular view they are prompted to enter the accesscode they have been given, if it is correct the view displays if not then it hides the view. I am sure there are better programmers than me out there that would tweak it but I like keeping it simply especially for the newbies.
/This small routine prompts the user for input and then compares it to a field within the getUserAttributes. If they do not match it hides the view.
This could also be used at the field level.
This allows some additional security on a view that contains sensitive information. Yes you could do this by user role but that is annoying when not all users should be in a role yet they may need to access section of data. If you have a policy that they change their accesscode at same time as passorwd this would add additional strength
$(document).on(‘knack-view-render.view_XX’, function (event, view, data) {
$(‘.view_XX’).hide();//Hide view to ensure unauthorised users do not view any data
let accesscode = prompt(“Please enter your verification code”, “”);
if (Knack.getUserAttributes().values.field_x !== accesscode) // Field number with their account
This could also be done with page rules which I would suggest as your way isn’t secure. Hiding a view means it is still accessible in the dom making it reasonably easy for someone to bypass your code.
With page rules you have access to any field in the accounts object i.e Specific Names or any other field not just user roles.
Page rules require that you to compare the accesscode, in their account table, to an inputted code. How can a page rule prompt for the code? If it can that would be great.
Could you also explain how they can bypass my code, the page is protected by a login and user profile before they get to the additional code, which is an additional check. I am not being funny just curious so I can try and protect against any vulnerabilities.
It depends on how sensitive the data you are hiding is to your users. I only brought it up because your title for this post specifically said Security.
If the data, you are hiding is being hidden because it’s sensitive to the users you are hiding it from, just using $.hide() will mean that any of your users, with access to that page, could potentially bypass your code and show the view. I just wanted the forum to know that hiding something using the $.hide() is not secure.
A user could use Chrome dev tools to set the CSS of the element you are hiding from display: none, which is what $.hide() sets the element to, to any other property of display i.e. block. This will show the view without the need to enter a password.
