Restricting users to only certain records via web

[J Meredith]

I have a question for the Filemaker whizzes out there. Just so you all know up front I have been working with FM for 3 years on a basic to intermediate level in our business, developing as I go.

I posted this in another thread and received only one answer. I am hoping that by posting it here, in a more topic specific area, I will get a bit more feedback.

Thanks for taking the time to read this long post. I am truly perplexed.

___

I am the owner of a graphic design firm who has recently taken on doing contract work for a local marketing company. We currently use a filemaker database to track all of our clients. I would like devise a simple solution for making proofs available online to customers through Filemaker 7. From the mucking around I have done at this point this looks possible.

We currently have a server running OS X 10.3 with a small website being hosted specifically for serving client proofs. We currently drop our proofs in folders for the clients and then provide a URL for them to download or view the proof in their browser. This works, but requires a lot of work to check what version we are posting and then send the appropriate URL via email.

The ideal solution would be to have a database open on the server, which is available via the web. This database would allow a customer to log in and view all of their proofs with the same username and password each time.

For the back-end, it would be nice to simply add an image to the database under the customers record (which I understand can now be done easily with a link to the file rather than embedding in the database) and that be available to the customer when they log in.

My delima is how to structure the database so that customers only have access to their records and not everyone else's records. The permissions structure seems to be very thorough in FM7 but I am unsure of how to structure the DB with the new Tables capability. It would seem that each customer would listed in one table with a key and then that key would be linked to the job number(s) in another table.

The goal is to have the user enter the database and upon entering their username and password (some how tied to the customer table), then be able to view only those records in the job table that are associated with their login info.

Please realize I am not a DB guru, so I am not the most experienced. I do understand relational DB ideas for the most part, but I am unsure about this security/structuring idea.

I am I approaching this from the wrong perspective?

I hope all of this makes sense and any help would be appreciated.

Please keep in mind that we are a small design firm with limited resources, thus hiring someone to do this at this time is not feasible (though I would certainly like to if I could )

Thanks again for the help.

--

Jamie Meredith - President

ICTHUS Digital Services, Inc.

i4-Design

Dayton, OH

-----

http://icthusdigital.com

http://i4-design.net

Version: v7.x

Platform: Mac OS X Panther

[Garry Claridge]

You can look at using the "Web Security" database.

A "Security" document exists on the FM site. This gives an example of "record level" security. It uses "Exact Match" restrictions in the Web Security Database.

All the best.

Garry

[Steve T.]

Hi, Jamie! Uh, I don't have access to FM7 but I've been told CDML is gone so I'm guessing that you will be using Instant Web Publishing? Unfortunately, I know little about that but some issues pop into my head at once I thought I should mention...

1. REL DB. I think you would want a relational db with a table (or db) of customers and a 2nd table (or 2nd db) of proofs in which the proofs can be shown in a portal on a customer's record... at least in FM4-6. If each job involved multiple proofs, you may want to structure it more like a customer/product/invoice structure or in your case, a customer/proof/job structure in which case the job table/db would pull info from both the customer and proof tables/db's.

2. SECURITY. How secure does it need to be? If you drop the JPG/GIF proofs in a published place, someone can still guess the URL even if you protect the FMP record with its official known path. In order to have a truly password protected site, this must be controlled by the web server. If you have a techie webmaster who knows the command line (unix stuff), they can learn how to create .htaccess files (dot-ht-access) to password protect individual directories. You could have each customer have their own folder and have FileMaker e-mail them the links rather than serving a webpage showing the links. When they try to enter their directoies; it would ask for their password before letting them in. I could be wrong, but I think approval is session-based so they would not have to log in again when viewing the other proofs once they log in once and don't quit their browser.

If it were me using FM4-6 and Custom Web Publishing and I wanted something quick and easy that just needed token security (Ha! FileMaker pun! There's web tokens commonly used in security solutions.) then I'd just use a 2 field search requirement (customernumber and password), i.e. FIND customernumber=x AND password=y where if either does not match, then there are no records found and the web visitor sees a an error page saying the login/password is not valid. I think the document Garry references says soemthing like that using "==", but I can't remember.

Of course, there's also a lot of pseudo- fake-password tricks out there using JavaScript and stuff, too. An internet search should show you how to do those, too. AppleShareIP used to let you designate password-protected directories for users on your system, but I could not get it to work on Mac OS X Server though I heard there was an Apache module that might do it. We decided to go with .htaccess because it lets you password protect a web directory without creating any real users on the server.

If your webmaster is only quasi-geeky and is familiar w/PHP, you can install PHP on your Mac OS X machine (actually, it's pre-installed, too) and I read about a free PHP-based web system that lets you create .htaccess files without having to go to the command line. You can set them up from a web browser once you have PHP and that particular PHP utility installed. If you decide to go this route and cannot find the utility I'm talking about, I can post it here later (it's at work).

Hope this helps some.

--ST

P.S. There are some great developers right here on FMFORUMS I imagine you could hire for quite modest fees unless you'd rather do it yourself for the experience and fun. They're great resources in these Internet forums so shouldn't be hard to find... they have lots of posts with lots of folks thanking them. Some are even admins/moderators and some have ads here... just look around. A Classifieds forum, too, I think. And no, I'm not one of them nor do I have any affiliation with any of them outside the good nature of this forum!

[J Meredith]

WOW ... thanks for the great info!

This should be enough to keep me busy

I will post my discoveries and what I come up with here before I take it live. It will, as will all my side projects, take me a while to get to this, so please add this page to your favorites and check back.

Again to both of you.

Jamie Meredith