restrict access to certain html+cdml pages using passwords

[ehanuise]

Hi.

I'm designing a helpdesk management application. I needed to set it up quickly so I used filemaker pro 5.0unlimited, and the built-in web server.

I do not use instant web publishing, but rather html+cdml pages ('custom' web publishing.)

I have three databases :

users.fp5 with our users logins, first and last names, and emails

tickets.fp5 which holds the helpdesk tickets info

interv.fp5 which holds the interventions on each ticket.

tickets.fp5 has a portal to interv.fp5 based on the ticket number. the ticket record holds data global to the ticket, and the interv.fp5 holds details of each time sometime did something to advance the ticket.

I have then made a set of html+cdml pages as follow :

-index

+- search and display page for users (allows them to get the status of a ticket by providing the tiket number or their username)

+

+- ticket creation and modification pages for the helpdesk staff

+

+- users creation and modification pages (on database users.fp5) for the helpdesk staff.

I'm looking to find a way to :

- enable anyone to access the index.htm , ticket_search.htm, and ticket_list.htm pages without needing to log in

- requires a log-in for access to any of the other web pages

- allow someone logged in to log out so he can relog in using another username/password (often needed for the helpdesk staff)

I read the filemaker security guide and the web companion security papers, but these allow you only to place restrictions on a layout, database, and/or fields.

I could find no way to put restrictions on actual html files (something like using a .htaccess file on a apache web server.)

anyone has pointers on how to do that ?

[Garry Claridge]

You could 'trick' the system by using the "WebSecurity.fp5" database to protect certain fields. These fields will then only appear on certain layouts which are accessed by different format (html) files.

As far as 'logging-out' goes you will have to end the browser session. The WebSecurity database uses HTTP-Authentication so you may be able to use various windows for different sessions.

All the best.

Garry

[Anatoli]

When you are switching between HTML files, you can do so with -edit based URL even you do not edit something and send -edit rights in WebSecurity db.

[The Bridge]

I haven't yet played with these new FMP5.0 CDML tags yet, but they may work for you:

In your forms/links:

-FMTField=Format_Field - uses the filename stored in the field Format_Field to return results. If Format_Field is empty, Web Companion should use the filename specified with the -Format tag.

In your results page:

[FMP-IncludeField: Fieldname] works like the [FMP-Include] tag with the exception that the contents of the specified field are included, not the contents of a file.

Hope this gives you some ideas!

[Vaughan]

Some of these tags got taken out of WC 5.0v3 due to a perceived security risk. Check the WC read-me file to see what were removed.

[ehanuise]

Most (in fact all) web servers i've used until here allowed to restrict access to certain html pages.

If I understant well, once pages are served by filemaker pro (and/or the web companion+a web server) one has to forfeit this ability and be limited to filemaker's databases-and-fields access permissions ?

this is quite impractical...

I'll have to redo the whole project as a php+mysql or oracle+asp solution then : I have fields in the database for staff use that users must not be aware of. If I use the security database's "All Users-browse" and restricts these fields to ask a password, someone can access the pages containing these fields without a password. The fields will not be displayed, but the general layout of the page (and column headers) will show.

What I really need is forbid some pages to be accessed without a password.

And hiding the pages behind a 'portal' page is not a solution either : if a staff member consults these pages on a user's computer, then they'll show in the history of his browser.

the security database should include provisions to limit access based on the html file names as well

[Vaughan]

Web Security offers field-level acces restrictions. This should be able to solve your problems.

[Garry Claridge]

You can use a combination of [FMP-IF: ] and [FMP-Include: ] tags to achieve this. This is how I was restricing pages on one project; and I know of other people who use this method.

Here is the example from the "CDML Reference" database:

[FMP-If: CurrentUser .eq. xyz]

[FMP-Include: requirefield.htm]

[FMP-Else]

[FMP-Include: othererror.htm]

[/FMP-If]

All the best.

Garry

[ehanuise]

this might do it, by combining [FMP-If] with javascript to get the browser to report the filename.

I'll toy around with it and see if I can come with something useable

[The Bridge]

quote:

---

Originally posted by Eric Hanuise:

this might do it, by combining [FMP-If] with javascript to get the browser to report the filename.

---

You can always use [FMP-If: CurrentFormat.eq.foobar.html]...[/FMP-If]

Earlier I suggested looking at the -FMTField tag. As Vaughan said, it has been removed from WC since 5.0v4.

[ehanuise]

I found another way...

create an empty 'main' database with one record, no fields

set perms using the web security database on main.fp5

use this to force a login

<FORM ACTION="FMPro" METHOD="POST" >

<INPUT TYPE="hidden" NAME="-db" VALUE="main.fp5">

<INPUT TYPE="hidden" NAME="-lay" VALUE="all_fields">

<INPUT TYPE="hidden" NAME="-format" VALUE="staffmain.htm">

<INPUT TYPE="submit" NAME="-FindAll" VALUE="Helpdesk Staff Log In">

then use fmp-if on subsequent pages to make sure [fmp-ClientUserName] and [fmp-ClientPassword] are not empty