NetTalk Central
NetTalk Web Server => Web Server - Ask For Help => Topic started by: Alberto on March 06, 2014, 01:24:02 PM
-
Hi,
NT6.55
I need to limit the access of a loggedin user to a form that is not of its property.
Suppouse a user logged in try to access a record from another user typing:
http://127.0.0.1:88/uPatient?change_btn=change&dat:id=1
Then I check for that in the "only serv if" returning a -3 if the page must not be served, some code like:
If (p_stage=ChangeRecord + NET:WEB:StagePre or p_stage=DeleteRecord + NET:WEB:StagePre)
if VerCliUser(DAT:ID_MAIN_CLINIC,p_web.gsv('login_id')) = false
Return -3
end
End
I´ve verified that the return -3 is executed but the page is served.
This code used to work on earlier version of NTWS.
Any thing I can change to make it work?
Thanks
-
I'm sorry, I don't understand the question.
cheers
Bruce
-
Sory,
Supouse you have two users, each one loggsin with its own user/pass
There are a Patients Table in which each user add its patients and they can see only its own patientes because of the browse filter.
But if any user type in thee xplorer:
http://YourServer/uPatient?change_btn=change&dat:id=1
and the patient with that dat:id is from another user, it can see and change a patient wich does not own.
Is it more clear?
Thanks
-
Using sequential ID numbers is not recommended. Also, there are some changes in NT7 to avoid the problem you describe.
-
Thanks Kevin,
Where can I read about this NT7 new feature.
Regards
-
see FAQ W4
-
michelis
http://capesoft.com/docs/NetTalk7/NetTalkWebFAQ.htm#W4
-
Thank you very much,
I realized thet this method exists in NT6 too
The goal would be an option for the form to work only if it is called with _bdiv_ param
This will avoid the use of xxx:id=nn
May be this is what NT7 has?
Thanks
-
NT7? That's soooo yesterday....
-
You can only say that tomorrow :)
-
ok, ok NT8
but how about my idea?