I am using web2py forms and i want to have some fields only visible to user (as fixed which cannot be edited). I tried making various combinations of editable, writeable, readonly but was of no use. I looked into web2py book too but that also seems insufficient. It would be great if someone can tell me how to do this.
You mean some fields visible to all visitors and some fields visible only if logged in?
If that's the case, then build your form conditionally:
form_fields = [
Field('pubfield'),
Field('pubfield2')
]
if auth.user: # This is true if the end-user is logged in and you're using the built-in auth
form_fields.append(Field('private_field'))
return dict(form=FORM(form_fields))
Unless you're not talking about logged in users, and just want to make the fields be visible, but not editable. Then, use writable=False like you tried, but I think you have to either use crud.create/crud.update or SQLFORM / SQLFORM.factory (the latter does not require a data model)
SQLFORM.factory(Field('my_readable_field', writable=False))
If you the form is based off of a database, you can use CRUD (you'll need to modify the settings for CRUD if you're not using authentication, so that CRUD forms are accessible)
crud.create(db.some_table)
or
SQLFORM(db.some_table)
Related
I am trying to determine if a specified field role in my user's collection is the one being used within the app. I have simulated this rule like below image in the rules section:
I am trying to access the Admin field of the user collection in this image and check in the rules to allow creating a new product if the user is admin or superuser(can create admin users). Image below:
The rule simulation seems to fail, is there a proper way to access this field in security rules(see both images) or to set up the database properly? The fields were set in a form using radio buttons?
Overall desired task is to allow only certain sections of the app database to be accessed and/or manipulated by my users and also within the app itself, is there a way to query these fields and render the UI and interactions conditionally, to avoid the whole security rules thing?
The superuser is in the owner's collection, omitted for brevity and only one document in it.
Thanks.
Your rule is checking documents in your "projects" collection, but your screenshot is showing contents of doucments in the "users" collection. So, there is obviously a mismatch here.
If you want to allow access to a document using the contents of another document, you will need to get() the other document, then check it for the data you're looking for. An example of this is provided in the documentation. What you will need to do is get() the user document for the currently authenticated user, then check that document's role field. It will look something more like this:
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role
I would like to check if the current BE user has access to a specific field, e.g. pages.canonical_link or tt_content.header_link.
I can see how this can be done by checking for the permissions of current user to edit the page or content by using e.g. $GLOBALS['BE_USER']->getPagePermsClause(Permission::CONTENT_EDIT). Also it can be checked if user has write access to table by accessing via $GLOBALS['BE_USER']->groupData['tables_modify'] or to the field by checking if the field is an exclude field and checking groupData['non_exclude_fields'].
But groupData is public but internal (so this generates warnings) and I am wondering if maybe I am missing some more general public API to do this. Also, I am not sure if I am missing some things: There are a lot of ways you can configure the access, such as editlock for the page, you can restrict access to edit fields for specific language, etc. etc.
I'm developing a basic recruitment-type website.
I have an "Apply" CustomForm attached with a contenttype("Job"), but I can't get access fields outside of the CustomForm widget. I'm trying to add the reference number or the url to the email within the workflow. Orchard shows {Content.Fields.Input-Reference} token, but it returns no value when used.
Should I overwrite the handler when the form is created or how can I access fields of other zones?
As far as I understand the question, you don't actually need to add a custom token to your module. Custom Forms module takes care of that for you and adds the tokens for fields itself. You just need to use them in the email module.
Just look for a tokens named like this:
Content.Fields.[FormContentTypeName].[FieldName]
Not that the tasks of adding custom tokens to the system and accessing them inside the workflow are particularly hard, mind you.
I am not 100% sure if this is as big an issue has I seem to think it is right now but I think I may of found an issue or at else an hole within the Inspect Element viewer within Chrome.
I was using (I have now changed my settings) hidden ID's to set a number of defaults, one was users levels, another was to make the user active by default.
However when I view these ID's within the inspect Element view and then changed the values, submitting the form would submit the NEW value to the server and not the value I had given it.
For Example:
I had something like the following within my code,
<input type="hidden" name="data[user][level][id]" value="1" id="MyID">
I then changed it within the Inspect view to,
<input type="hidden" name="data[user][level][id]" value="2" id="MyID">
Then I submitted the form and was surprised that the NEW value was submitted, I was always under the inpresion that hidden ID's where not changeable and the browser should only submit the default values held within.
I have now changed this to letting the database default to a basic user and then I can change the users setting has I want to. But in some cases this may not be an option, so I was hoping for an answer or some feedback about how to make this more safe.
Am I just a bit slow, are there better methods (different ones) to passing 'hidden' data from forms to the server?
I was thinking about maybe using JQuery to add the needed hidden fields to the forms once the user had selected / submitted the form, but i am not sure if this is 100% safe or even if its a good idea.
Any ideas / feedback are very welcome.....
Many Thanks,
Glenn.
I had the same problem passing the database data into a modal,the solution i know is to use jquery ajax to get the informations from the database requesting a file,adding them into variables and compare the variables
$.ajax({
url: "test.html",
context: document.body
}).done(function() {
$(this).addClass("done");
});
I used this code sample to do it.
Of course there are a few modifications to be done depending on your script
I found a better way of doing this, at lest in CakePHP. The CakePHP framework has inbuilt security calls. These in-built functions when added give you all sorts of stuff but the main reason I used them was to stop this sort of form tampering.
I am not 100% sure how it does this, but it adds a token to all forms and it checks to see if the form being submitted is right? Again not sure how the token works.
But here is the code I used ::
public function beforeFilter() {
$this->Auth->allow('index', 'SystemAccess');
$this->Security->blackHoleCallback = 'blackhole';
}
public function blackhole($type) {
$this->Auth->logout();
$this->Session->setFlash('Sorry a security issue has been detected, please try again or contact us for support.', 'default', array(), 'bad');
$this->redirect($this->Auth->redirect('/'));
}
Now I will add that the call the Auth logout I added to this for extra added security, as the user maybe have logged in on a system and it just not be them that is trying to do things that they should not.
Hope that helps others out!
But this is only a fix for when CakePHP is in use. I would take it that other frameworks would have their options but if your only using basic HTML? or a CMS like Drupal again there might be in built security.
Many Thanks
Glenn.
The only safe and best solution that I found for this issue is to check on the server side whether the user_id sent with the form is the same user_id logged in with or not.
Although using jquery is good idea, but, did not work with my case as am using data: $(this).serialize(),
However here's my code on the server side (Note, am using Laravel 5.4, but am sure it won't matter with your case)
if ($request->user_id != Auth::user()->id)
return json_encode("F**K YOU ! Don't Play Smart -_- !");
else
raw_material_category::create($request->all());
Hope this helped ;)
One of our clients wants to FE log in as two different users at the same time, using one browser. I think this is only possible when using two different browser. IS there any workaround?
Background is this: We wrote a FE extension where user can login and update some of their data. One client is a kind of superuser/admin. He wants to compare and edit data of several users at once.
Authentication in TYPO3 is performed by cookie fe_typo_user and therefore it is not possible to have two users logged in at same time from same browser.
You may advise to use different browsers or virtual machines for your client.
As Viktor wrote - it's not possible. Here I should finish the answer.
Anyway... while you are creating your own plugin you can easily add 'simulate mode' using for an example custom cookies... Block schema is:
[IF isAdmin AND simulateMode == false] {
Display admin's version
} [ELSE] {
Display common user's version
}
You can go even farther and switch the admin to simulate some chosen 'common' user, anyway make sure that will not violate some privacy police.