Insert only form?

[Matthew51]

I use a form to that allows users to register them selfs with the web site.  However a clever individual could use this same form to view or even change the information of other users.

What is the best way to prevent this kinda of action?

[Bruce]

Hi Mathew,

In the top embed point test p_stage for the preupdate and predelete possibilities, and return out.

(right-click, choose source, and look at the code generated at the top of the form.)

Cheers
Bruce

[Matthew51]

I tried this by putting the following code in at the start of the processed code:

  if band(p_stage, Net:CopyRecord) = Net:CopyRecord or |
     band(p_stage, Net:ChangeRecord) = Net:ChangeRecord or |
     band(p_stage, Net:DeleteRecord) = Net:DeleteRecord
    Return -3
  end

It still opened up the form to change a record.

I tested the value of p_stage.  Without the return statement I get the following sequence:
8192
16384
8192
1026
0

With return -3 I get:
8192
16384
8192
1026
0
8192
16384   
8192
1025

[Matthew51]

I've tried a slightly different idea that looks to be working.  I the same embed I put:

Code: [Select]

  if p_web.IfExistsValue('Change_btn') and p_web.getvalue('Change_btn') <> 'Insert'
    return -3
  end


[Bruce]

Hi Matthew,

I think you've shown this is harder to be than it needs to be. I'm adding some code to NT 5 to let you specifically remve Insert or Change behaviour on a form. If the respective code is simply not generated then that's probably the safest approach.

Alas though, the change is too major to get into version 4.

Cheers
Bruce