4D provides a features that allow it's commands and created database methods to be available for other features that are available to a user. An example features are 4D Write Pro, where an expression can be inserted that uses a method or command.
By default, a 4D database should be filtering the commands and methods preventing access to all commands and methods.
This setting is found in the Database Settings > Security Section:
Enabled for All is the default setting for a new database. This will filter out the commands and methods for all users.
Disable for the Designer and the Administrator, will filter out the commands for all users besides the Designer and the Administrator. This can be useful for specific use cases, but it will cause a difference in behavior. For example if the Designer is implementing a new feature and during testing has access to specific commands, while the users will not when deployed.
Disabled for all is a dangerous setting that will not filter any commands or functions. This will open up dangerous commands such as TRUNCATE or DELETE SELECTION to users and should not be set without knowing these dangers first.
It is suggested that Enabled for all be used and to allow commands and methods use the SET ALLOWED METHODS command. The command takes in an array of method names, exposing them to the user. If a 4D command is needed, it will need to be implemented in a project method.
For example, if Current user is needed the method below could be created and exposed:
// Method: getCurrentUser C_TEXT($0) $0:=Current user |
The method can then be allowed:
ARRAY TEXT($allowedMethods_at;0) APPEND TO ARRAY($allowedMethods_at;"getCurrentUser) SET ALLOWED METHODS($allowedMethods_at) |
Make sure to double check database settings to make sure the setting is set to the desired level of security.