1C Install Safe Mode. Safe mode of operation

The software opening of the external processing is carried out using the global context object of external processing, which has a type External processingmen. For each 1c platform mode (normal application, and managed application mode), various object methods are used to work with external processing.

Start external processing in normal application mode

In the usual application, you must use the Create () Object Object, which passes the full name of the external processing file. The method returns the type object External processing, This object is open external processing. If you want to open the external processing form, then the obtained object is called the Options () method (), which will return the basic shape, and then call the Open () method for opening it.


Processing \u003d external processing. Create (full);
Processing. Forecorm (). Open ();

In external processing, the main form should always be the usual, and the optional optional, otherwise the Options will not work () in the usual application mode.

Run external processing in managed application mode

In the mode of controlled forms, the algorithm is separated by the context of execution. On the client we get binary data on the full name of the external processing file. We transmit the received binary data to the server and put them in a temporary storage. Next, you need to call the connection () object of the external processing object in which the address is transmitted to the temporary storage. The method returns the name of the connected external processing. Return the name of the external processing to the client, form a string path to the processing form and using the openform method () open the external formation form.

&On server
Function to be obtained by appearances (binary)
AddurbationRexuality \u003d Position-based reserve (binary);
Returning external processing. To connect (addresseed by time);
Endfunction

& Svalette
Fullness \u003d ""; // The full name of the external processing file.
Puttails \u003d New bichelted (full);
Imaging \u003d reconnecting (spelling);
Openform ("external processing." + Imaging + ".Form");

Safe mode for external treatments

Methods to create () and connect () Object external processing have the incoming security parameter - a sign of connecting external processing in safe mode. If the parameter is not specified, the connection will be implemented in safe mode.
Safe operation mode is designed to protect the system from executing the "unreliable" program code on the server. Potential danger represent external processing or program code entered by the user to use in the methods to perform () and calculate ().
The following restrictions are superimposed in safe mode:

• the privilege mode is canceled if it was installed;
• attempts to go to the privileged mode are ignored;
• prohibited operations with COM objects;
• it is forbidden to download and connect external components;
• prohibited access to the file system (except temporary files);
• forbidden access to the Internet.

Processing, open interactively, not performed in safe mode, so it is recommended to implement the opening mechanism of external treatments in safe mode, as well as at the level of rights to prohibit the user an interactive opening of external treatments.
To prohibit the interactive opening of treatments, in all roles assigned to the user, it is necessary to remove the right "interactive opening of external treatments" (see Figure 1).

Figure 1. Interactive opening rights of external treatments / reports

The right "Interactive Opening External Processings" does not affect the external processing facility.

Software opening of external reports, similar to external treatments, only the object of the global context should be used, which has a type Foreign trade.

When you start the program, downloading documents under the usual user error occurs "Installed Mode. Performing operation is prohibited."

This complexity occurs because To start external processing is not right. To configure access rights, go to the base in 1C mode on behalf of Administratorand go to the section User settings and permissions / access group profiles,click To create a group.

Enter the name of the group and check the roles available to users of this role.

• Interactive opening of external reports and treatments
• Using additional reports and treatments

Click Record and close

Return to the Users menu and select an employee from the list that will work with the program Loading Documents. Click Access Rights. In the list of profiles, mark the earlier profile. Click Record.

For users to start processing, it is recommended to add downloads to the list of external processing. To do this in the menu Administration / Printed Forms and Processing / Additional Reports and Processing Create a new processing. Specify the path to the "Download .epf" file and assign a name. Specify the placement of processing in the menu, from where the user can run it later, for example, select Menu Directories

By clicking on Quick Access, you specify that processing is available from users:

After setting, click Record and close. To start processing, users will sufficiently go to the database and open it from the access menu (in the example - reference books) and click Perform.

Open Menu - all functions ... And locate the Safety Profiles in the list.

It is enough to remove the flag from the option "Use security profiles".

After that, the program will start successfully.

On the example "Trade Management 11.3" Example Consider a simple process of connecting an external printed form. We will also consider the features of the new security system.

Fast passage

Preliminary actions

To begin with, you should enable functionality or check its availability

1. Go through full rights to the information base.

2. Go to the "NSI and Administration" menu / Administration unit / Team "Print forms, Reports and Processing".

Addition

In the section that opens:

We add the processing over the "Create" button (this is important) or "update!" existing:

• It is highlighted in the list (if not allocated or empty, the team will not work, but nothing will say).
• Press the "Download from the file" button.

After the appearance for 1C in external processing, security checks appeared in new configurations.

Only the processing should be installed independently or obtained according to the known communication channels (not from mail, only from the site with a valid certificate, or provided by the developer employees confirmed by the phone).

If everything is written in processing by the developer, "placement" will be installed - objects in which processing will be involved, the command (s) will appear.
To work, it will be enough to click "Record and Close".

Check

Immediately after that, depending on the type of processing:

• Printing form becomes available when opening a document or from its list (for already open when re-opening) via the "Print" button.
• Processing Available in "Advanced Processing" sections in each subsystem
• Fill over the button "Fill" the list or the main command panel of the object form.

For the above processing, the launch will look like this:

If the document is new, it should be recorded, the mechanism of external treatments will warn you about this:

Further behavior depends on the laid functionality: it is possible to open the form or simple data processing.

Security Warnings in 1C

In the new releases of the platform and configurations, protection against the launch of malicious programs has increased.

The processing may be running Excel to download, in this case the new security subsystem will also warn you:

In this case, the handler code is interrupted.

In case you click "Yes", the system will ask you to re-call the command:

For the user of the information base, it is possible to disable the protection against dangerous actions through the "Configurator":

From the "Enterprise" mode, it is impossible to change this, perhaps it is done specifically, it may appear after the update.

It should also be noted that if the processing uses Excel, it must run in unsafe mode (so it was before the introduction of the new system, it works in parallel):

"Unable to download MS Excel !!!" "Installed safe mode. Performing operation is prohibited

In external processing it looks like this:

The developer follows in the internal description of the processing to install it in "Lie", then everything will be fine:

Function information for information () Export parametersEregistration \u003d new structure; Parametersregistration. Hold ("Safety", lie);

When updating the configuration, a warning text has also appeared on the source from which the configuration file was obtained:

With the release of the platform 8.3.9.2033 a new mechanism appeared "Protection against Hazardous Action".

Thanks to this innovation, 1C is now to open processing (and not only) began to swear:

Security Warning

Opened "My External Processing" from the file "My_Protype.epf"

It is recommended to pay attention to the source from which this file is received. If there is no agreement with the source on the development of additional modules, or there is doubts about the contents of the file, it is not recommended to open it, as this may harm the computer and data.

Allow open this file?

So 1s decided to fight the malicious code!

Where will this "malicious code" in the enterprise until the riddle)

To potentially dangerous actions included:

• Loading an external report, processing or configuration expansion.
• Downloading or updating configuration / expansion.
• Access from external report / processing or expansion to the following features:
• Execution of the operating system command.
• User management (Recording or removing information about the user of the information base).
• Calling the Method Connect () External Processing Manager (Reports).
• Calling an extension method. To recruit ().
• Work with COM objects.

How does this "miracle" turn off?

To do this, run 1c enterprise in the configurator mode.
Select the "Administration" menu - "Users".
In the window that opens, you need to open the User Settings window and install the bird in the "Basic" bookmark "Protection against Hazardous Action"

There are other ways to disable it:

Implemented the ability to specify a list of information databases when working with which protection against dangerous action will be disconnected.
The disableunsafeactionprotection parameter in the conf.cfg file is responsible for this function, which allows you to disable the protection mechanism for hazardous actions for all users of certain information databases, whose connection strings satisfy the masks specified in the DisableunsafeactionProtection parameter.

In this parameter, you can specify several masks shared by the ";" symbol, for example:

DisableunsafeactionProtection \u003d Test _. *; Stage _. *;

In addition, the protection against dangerous user actions can be disabled programmatically, for which there are the following parameters and properties:

• Property Safety Parameters Connect () External Processing Managers (Reports)
• The properties of the protectiveness of the expansion object object before calling the method to write () of this object.

Checking the need to use protection against dangerous action is performed in the following order:

1. If the current user has been reset the "Protection against Hazardous Action" checkbox, the defense is considered to be disconnected.

2. If the connection line with the information base satisfies one of the templates specified in the conf.cfg disableunsafeactionprotection parameter, the protection is considered to be disconnected.

3. If the protection is explicitly disabled using the external processing or report protection parameter.

4. If the protection is explicitly disabled using the Property Property Property.

Printing (Ctrl + P)

Configuration objects

If you need to use on the "unreliable" program code: external processing or program code entered by the user to use in methods to perform () and calculate (), you can use the secure mode of operation.

In safe mode:

• Privileged mode canceled.
• Transition to privileged mode ignored.
• Forbidden Operations leading to the use of external means in relation to the "1C: Enterprise" platform (including non-blocking analogues of these methods):
• COM mechanisms:
  • COMBACK ();
  • Get process object ();
  • ShellHTMLOV. FocusCheckCext ().

• Loading external components:
  • Download ();
  • Connectively compound ().
• File System Access:
  • ValiNew ();
  • CopyFile ();
  • Combined ();
  • Movefile ();
  • Divided file ();
  • Create Catalog ();
  • Delete files ();
  • New file;
  • New xbase;
  • RecordingHTML.Openfile ();
  • ReadingHTML.Openfile ();
  • ReadingXml.Openfile ();
  • RecordingXml.Openfile ();
  • ReadingFastInfoset.Openfile ();
  • RecordFastInfoset.Openfile ();
  • Canonical recordingXML.Openfile ();
  • TransformationXsl. Zaporizifile ();
  • Recordzip File. Open ();
  • Reading feedfail. Open ();
  • New readetexte () if the first parameter is a string;
  • Readetetextsext. Open () if the first parameter is a string;
  • New post station () if the first parameter is a string;
  • Posttext.Open () if the first parameter is a string;
  • New extractionethexte ();
  • changing the removal properties. IMAFILE;
  • Extractionequexsta. To recruit ();
  • New picture () if the first parameter is a string;
  • Picture. recruit ();
  • New binary ();
  • Bicked. Request ();
  • New recorded () if the first parameter is a string;
  • New reading (), there is the first parameter - string;
  • all methods of the object of manageflows;
  • New file reader ();
  • FormattedDocument. To recruit ();
  • Geographicalshema. Up ();
  • Geographicalsham. recruit ();
  • Geographicalsham.nice ();
  • Tabdocument. Up ();
  • TabDocument. To recruit ();
  • Tabdocument.Nach (); Graphichema. Up ();
  • Graphichema. recruit ();
  • Graphichema.Nach ();
  • Text document. Up ();
  • Text document. To recruit ().
• Internet access:
  • New intercation,
  • New online pub
  • New online business
  • New httpsignation
  • New FTP connection.

ATTENTION! When performing prohibited operations during execution, an exception generates.

Note. External reports and processing, opened using the File - Open menu, are executed in safe mode if the user does not have administrative access rights.

The amount of secure mode inclusions must match the amount of shutdowns. However, if the safe mode (once or more) was turned on inside the procedure or function, but it did not turn off, the system will automatically shut down as many times as unfinished inclusions was in the ledmed procedure or function.

If in the procedure or function call functions Install savo-saving (lies) Made more than method calls Install savo-saving / truth)The exception will be caused.

The software installation of the secure mode may be required if the configuration developer involves the use of third-party (relative to the configuration) of the program code, the reliability of which the developer cannot guarantee. An example of such a code is to execute methods () and calculate () in cases where the executable code is obtained from the outside world. In this case, a good practice will be the installation of a secure mode before performing these methods:

// A program code is generated, which should be executed // It is possible that the code is loaded from external sources // or manually executed executableCode \u003d receiving bodiesCodiznegomir (); // turn on the safe mode of the security-space (truth); // Perform a potentially dangerous code to perform (executablecode); // Turn off the secure mode of the security-saving / lies);

In some cases, the secure mode settings can conflict with the settings of the privileged mode. An example of such a conflict acts on the document for which the Privilege Privilege Protection Property property has been established, from the code in the embedded language, which is performed in safe mode. In this case, the privileged mode is turned off, and attempts to enable it are ignored. As a result, the code in the embedded language, which "calculates" on the included privileged mode, "faces" with its absence, which leads to errors with non-obvious reasons for the appearance. To prevent such a situation, the system "1C: Enterprise" automatically disables the secure mode for event handlers that are available in the object module or the manager module, provided that the executable code in the embedded language is not located in the configuration expansion. Such handlers are noted in a syntax-assistant in a special way.

It is also possible to disable secure mode from the embedded language (if the program code from which the trip attempt is performed is not in the configuration expansion). To disable secure mode, the method is designed InstallingClovesContactsAnd (). Check that the safe mode is currently disabled (automatically or by calling the method), you can using the method Opening powerless protection ().

Within the framework of the same method, the embedded language cannot be more than one level of nesting the safe mode setting (by calling the installation method ()) and setting off the secure mode (automatically at the time of the event handlers of the metadata objects or the method of establishing the power-sensing method ()). When trying to increase nesting, an exception is generated:

// Correct use of the NameProcessary Procedure () Installation Safety Control (Truth); Establish savo-saving (truth); Install savo-safe (lies); Installing powerless protection (false); Extrudresses // Incorrect use of the nameProcessary name procedure () Install the powerlessness of the Safety Control (Truth); Establish savo-saving (truth); Installing powerless protection (false); // Exception ExtraConditions Procedure NameProcessor () InstallationScatter (Truth); Installing powerless protection (false); // Exclusion Extrudruces