Jamie Garroch (MVP)
asked on
Hide custom ribbon controls from Office backstage / Options / Customize Ribbon view
I have an Office application add-in that has various controls that are made visible (or not) under specific configurations via getVisible callbacks.
When they are hidden, it's because the function is not available to the user.
However, I've discovered that regardless of the state of the controls, they ALL appear in the backoffice view here:
File / Options / Customize Ribbon and then change the Choose commands from: drop down to All Commands
The obvious impact is that users can circumvent the add-in's code, making it seemingly impossible to have a single code base for an add-in deployed under various configurations. At it's worst, this appears to be a major security loophole.
Is there a way to prevent this behaviour?
When they are hidden, it's because the function is not available to the user.
However, I've discovered that regardless of the state of the controls, they ALL appear in the backoffice view here:
File / Options / Customize Ribbon and then change the Choose commands from: drop down to All Commands
The obvious impact is that users can circumvent the add-in's code, making it seemingly impossible to have a single code base for an add-in deployed under various configurations. At it's worst, this appears to be a major security loophole.
Is there a way to prevent this behaviour?
you can customize the backstage view with free Custom UI Editor Ron's web for more detail and examples
also fellow MVP Andy Pope has a free Ribbon Editor Add-in that can customize the Excel files
also fellow MVP Andy Pope has a free Ribbon Editor Add-in that can customize the Excel files
ASKER
Thanks thausia. The issue is that the client doesn't even them to appear in the ribbon customisation view, regardless if the functions behind them are disabled. It's very odd that MSFT allow this loophole! I see another use case where I could develop a single add in and groups are activated on-demand as users pay for them. But this loophole means that model can be circumvented.
ProfessorJimjam : I am using that first tool to add the XML to the project but the issue is related to controls remaining visible in the Office app's UI (in File / Options / Customize Ribbon) even when the XML defines them to be invisible (either via the visible property or getVisible callback).
ProfessorJimjam : I am using that first tool to add the XML to the project but the issue is related to controls remaining visible in the Office app's UI (in File / Options / Customize Ribbon) even when the XML defines them to be invisible (either via the visible property or getVisible callback).
Can you also set the relevant control's enabled to false?
ASKER
Have you managed to make this work JSWilson? I've just done some testing with the enabled property and it doesn't appear to help. For example, when opening a file with a custom ribbon tab, the callbacks don't even fire until the tab is clicked yet all of the controls appear in the Customize Ribbon view in that state. Then, when I do click the ribbon, forcing the callbacks to run and set a test control's visible and enabled properties to false, the control still appears in the Customize Ribbon view. This really does look like a MSFT security issue to me unless I'm missing something.
Here it still appears and can be added to the ribbon but cannot be used if enabled is set to false
ASKER
It's the "still appears" bit that I've been asked to fix :-(
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
If so JSRWilson, then think this is something the MSFT should address because it represents a security loophole. Thanks for looking at it though and for a new challenge ;-)
ASKER
I've accepted the solution as being there is no solution so the question is maintained on EE for other developers.
are you concerned about the user's ability to start a command from your add-in even when they shouldn't? If so, can't you just apply the same check as for the visibility to the button_click event and e.g. show a message to the user that this command can't be executed under current configuration/condition?
Regards
Thomas