Hidden does not mean secure

If you have ever had to customise an entity form in Dynamics 365 then you will likely have hidden a field, marked a field as business required and possibly even made a field read-only. Did you know however that all of these can be reverse by most users? Just because the field is not visible on the form does not mean the user cannot find the value or edit it.

Here we can see a very simple account form customisation where there is a field required and also a field that is read-only. There is also a field between these that is not visible by default. Take a look at the 2 screenshots below and you will see the difference.

A simple account entity form customised to make a field required, one hidden and one read-only

A simple account entity form customised to make a field required, one hidden and one read-only

Custom fields are now not required, read-only or hidden

Custom fields are now not required, read-only or hidden

What happened?!

You must always remember that the Dynamics system is simply a series of web pages and with modern browsers and a little know-how any user can run the code below to undo your hard work.

  // Show all fields
  for (var i = 0; i < frames.length; i++) {
    try {
      frames[i].Xrm.Page.ui.controls.forEach(function(control, i) {
        control.setVisible(true);
      });
    } catch (e) {  }
  }

  // Make all fields editable
  for (var i = 0; i < frames.length; i++) {
    try {
      frames[i].Xrm.Page.ui.controls.forEach(function(control, i) {
        control.setDisabled(false);
      });
    } catch (e) {  }
  }

  // Mark all fields as optional
  for (var i = 0; i < frames.length; i++) {
    try {
      frames[i].Xrm.Page.data.entity.attributes.forEach(function(attribute, i) {
        attribute.setRequiredLevel('none');
      });
    } catch (e) {  }
  }

Try it yourself, open a form in Dynamics and copy + paste this code into the browser tools console (F12 for most browsers).

Just a quick post to remind you this is possible, if you had forgotten or not realised; customisations do not survive contact with the customer.

Discuss on Twitter
Share on: