Jump to content

editing/posting without hidden form fields?


Susanne Riehemann
 Share

This topic is 5689 days old. Please don't post here. Open a new topic instead.

Recommended Posts

  • Newbies

Is it possible to edit a record without using a hidden form field to specify which record should be edited?

I can't use hidden form fields because someone could save and edit the source and edit a different record. And I can't use a restricted custom access privilege set to prevent that, because I can't use Filemaker internal authentication (because I am not allowed to email passwords), and can't use Filemaker external authentication (because at Stanford it's not possible to use ldap groups). Instead I need to use Stanford's webauth system for the initial authentication, and need to have a secure way of controlling which record someone is allowed to see and edit.

I explored using cookies or sessions for this, and those methods seem to work fine in principle, but I haven't been able to figure out how to use them to solve my problem, i.e. specifying which record to edit without that number showing up in the "source".

The way I'm currently retrieving the information from the cookie is the two-step process from the documentation (first use fmxslt:get_cookie to put it into a variable $pref_cookie, then get the information out of $pref_cookie/fmc:cookies/fmc:cookie) and I don't know whether it's possible to get that into the xslt-cwp-query params somehow?

Link to comment
Share on other sites

I think in your case you have to provide record security at the database side, not the web side. You have to create a privilege set that allows editing (i.e. unlocking) of records based on a calculation (e.g. if user id submitted equals user id attributed internally to the record, allow editing. This might even be expanded with some private/public key scheme). Check within FM: Menu File > Define > Define Accounts & Privileges, Tab Privileges, Button New ..., dropdown-menu Records > Custom Privileges ...

Still you have to check what happens if the user edits the source so that his ID is not sent.

BTW, you can't get the cookie into xslt-cwp-query params on the same page (see the thread http://fmforums.com/forum/showtopic.php?tid/182893/ on similar question), but you can send it in a document() call within the page or by the relay technique (see http://www.filemaker.de/konferenz2006/ , slides and demo by me, all in german) to the database.

Link to comment
Share on other sites

  • Newbies

Thanks for writing back : I've successfully used the document() call to open the right record from the cookie and display information from it, but I don't know how I can use it to *edit* the record. Is that possible?

Also, slides in German are fine, and I've already downloaded them, but I can't seem to find the "relay" technique in there. What page is it on, or what's the German word you're using?

Link to comment
Share on other sites

This topic is 5689 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.