Meir
|
| Posted: 03/05/2002, 12:41 AM |
|
I have a record form.
Delete button should appear only if security level is 3.
Can form buttons change via custom events, or is it set at
page generation ?
|
|
|
 |
Nicole
|
| Posted: 03/05/2002, 1:41 AM |
|
Meir,
the easiest way is to create two similar forms with and without 'Delete' button. Then show/hide forms depending on user rights. Refer to following article to find how to do it:
http://www.gotocode.com/art.asp?art_id=54&
|
|
|
|
Meir
|
| Posted: 03/05/2002, 2:01 AM |
|
Nicole,
I knew that, I was looking for an elegant solution.
Thanks for your help.
|
|
|
|
Brent
|
| Posted: 03/05/2002, 2:51 PM |
|
Nickita wrote this a while ago. I haven't tried it so I can't say if it works.
you can easy hide Insert, Cancel, Update and Delete (these buttons can be hide together only) buttons easy in template versions the same way as used to hide the forms. I.e. add e.g. (for PHP) to hide "Insert" button you should create CustomShow event and add the code
$tpl->set_var("Form_NameInsert", "");
rigth after line
$tpl->parse("Form_NameInsert", false);
To hide Cancel button use:
$tpl->set_var("Form_NameCancel", "");
To hide Update and Delete buttons use:
$tpl->set_var("Form_NameEdit", "");
And also you can create 2 forms (one with Update button and one with Delete button) and show/hide them depending on user rights.
|
|
|
|
Meir
|
| Posted: 03/06/2002, 1:54 AM |
|
I'll have to go with seperating the forms.
I was able to hide the buttons with the template option, but
nothing prevents samrt user from circumevnting this by passing the
parameters in the url (the page is using Low level security as it
should cater both security levels) with something like:
....&FormName=_FormName_&FormAction=delete&PK_pk_field_name=PKValue.
If this parameters are passed to the form using the hide button method, the
record will be deleted !!!! Needless to say, this is bad...
In this case the best solution is to have different pages with the
correct Securitly level for each of them (a page to view, a page to
edit and a page to edit/delete).
|
|
|
|
Brent
|
| Posted: 03/06/2002, 11:58 AM |
|
>>I was able to hide the buttons with the template option, but
nothing prevents samrt user from circumevnting this by passing the
parameters in the url (the page is using Low level security as it
should cater both security levels) with something like:
....&FormName=_FormName_&FormAction=delete&PK_pk_field_name=PKValue.<<
Yes, parameter security is pretty much non-existant. Parameters in the URL (GET),
HTML file (POST) and even cookies can be edited by the user or hacker.
But there is a solution that makes all your parameters uneditable thwarting
any attempts by the user or hacker to bypass security. I posted a suggestion
on this yesterday in the "Wish List" but it hasn't been released yet.
I'll post it here under the thread "Prevent hackers from spoofing..." to see
what the public reaction is. If CC implements it, it will make CC sites a lot
more secure.
|
|
|
|
|
