Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Is there a way to disable the Button option in the "New Sheet Object" dialog when using a native QlikView application from AccessPoint? We are using QlikView 12.50 SR3, and our Security Team found out that the button action's "External" event has File Path Traversal vulnerability that could be exploited by a malicious user. I know that the "New Sheet Object" dialog can be disabled from the Sheet Properties, but I am not sure if there is a way to disable only the Button option because disabling the whole dialog is not acceptable for many users of the QV application.
I do remember that there were a few postings about adjusting the context-menu and also the menu-bar to exclude some options. But AFAIK there are no native customizing options for it else it would require a direct manipulation of the various htm/js-files of the access point which is probably not particular difficult for an advanced web-developer - at least from a technically point of view.
Administratively it should be well considered - origin files needs to be backup and by each release change it must be recovered and tested. More relevant would be that such approach would be working globally. Better as this might be to control the capability to access/create server-objects within the QMC on an user-level for each application.
Do you know where those htm/js files are located? Although at the context menu level I may only be able to disable or hide the New Sheet Object menu item and not the Button option in the dialog. That can already be done in the Sheet Properties.
These files reside within your install-folder of QlikView in the sub-folder Web. Before playing with the files make sure that there are Backups to be able to restore the previous state.
Another investigation might go to not disabling the new object itself else to disable the usage of buttons within the object-list. It's very rare within the development of an application that buttons respectively the belonging actions would provide an added value and even more seldom as a user-feature within the access point.