Link to home
Create AccountLog in
Avatar of Jamie Garroch (MVP)
Jamie Garroch (MVP)Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Hide custom ribbon controls from Office backstage / Options / Customize Ribbon view

I have an Office application add-in that has various controls that are made visible (or not) under specific configurations via getVisible callbacks.

When they are hidden, it's because the function is not available to the user.

However, I've discovered that regardless of the state of the controls, they ALL appear in the backoffice view here:

File / Options / Customize Ribbon and then change the Choose commands from: drop down to All Commands

The obvious impact is that users can circumvent the add-in's code, making it seemingly impossible to have a single code base for an add-in deployed under various configurations. At it's worst, this appears to be a major security loophole.

Is there a way to prevent this behaviour?
Avatar of Dr. Thomas Henkelmann
Dr. Thomas Henkelmann
Flag of Germany image

Hi,

are you concerned about the user's ability to start a command from your add-in even when they shouldn't? If so, can't you just apply the same check as for the visibility to the button_click event and e.g. show a message to the user that this command can't be executed under current configuration/condition?

Regards

Thomas
Avatar of Professor J
Professor J

you can customize the backstage view with free Custom UI Editor  Ron's web for more detail and examples


also  fellow MVP Andy Pope has a free Ribbon Editor Add-in that can customize the Excel files
Avatar of Jamie Garroch (MVP)

ASKER

Thanks thausia. The issue is that the client doesn't even them to appear in the ribbon customisation view, regardless if the functions behind them are disabled. It's very odd that MSFT allow this loophole! I see another use case where I could develop a single add in and groups are activated on-demand as users pay for them. But this loophole means that model can be circumvented.

ProfessorJimjam : I am using that first tool to add the XML to the project but the issue is related to controls remaining visible in the Office app's UI (in File / Options / Customize Ribbon) even when the XML defines them to be invisible (either via the visible property or getVisible callback).
Can you also set the relevant control's enabled to false?
Have you managed to make this work JSWilson? I've just done some testing with the enabled property and it doesn't appear to help. For example, when opening a file with a custom ribbon tab, the callbacks don't even fire until the tab is clicked yet all of the controls appear in the Customize Ribbon view in that state. Then, when I do click the ribbon, forcing the callbacks to run and set a test control's visible and enabled properties to false, the control still appears in the Customize Ribbon view. This really does look like a MSFT security issue to me unless I'm missing something.
Here it still appears and can be added to the ribbon  but cannot be used if enabled is set to false
It's the "still appears" bit that I've been asked to fix :-(
ASKER CERTIFIED SOLUTION
Avatar of John Wilson
John Wilson
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
If so JSRWilson, then think this is something the MSFT should address because it represents a security loophole. Thanks for looking at it though and for a new challenge ;-)
I've accepted the solution as being there is no solution so the question is maintained on EE for other developers.