I have a user with the following policy permissions (!local,!telnet,!ssh,reboot,read,!test,!winbox,password,web,!sniff,sensitive,!api,!ftp,write,!policy) and they have the webfig skin below but immediately upon login they are sent to http://routerIPhere/webfig/ and all the skin Quick Set fields I've hidden are visible and interactive, it's only when I click Quick Set tab and I am taken to the quick set anchor does it hide everything properly.
Also, is this stuff actually secure? Assuming a user with the policy permissions above, can they still login to webfig and craft their own custom request to alter a hidden field? Is the security just on the presentation layer?
Using RouterOS 6.4, skin JSON attached.