Hi, All:
Refer to the instruction in Showing Process Instance (List Record) Data in a Form.
I found user just need to change the id number in the url, then he can see all the content of the forms that was submited by other people.
For example :
How can I prevent this ?
Appreciate your kindly help.
Best Regards
Jonathan Yang
5 Comments
Walter
Guess we need to enforce some sort of permission checking.
At the form the "applicationForm" item that is pointing to, open up the form in the form builder, go to "Properties", then "Permission" and implement your logic of validating the user in there.
"applicationForm" is presumed to be a "Form Userview Menu"
Jonathan Yang
How about add another parameter in the url to prevent user attemp to see the forms submited by others.
For example :
http://localhost:8080/jw/web/userview/leaveApp/userview//applicationForm?id=21164_leaveApp_applyLeaveProcess&dateCreated=20130802141900
if the second parameter doesn't match the dateset, then redirect it to a warning page.
It's my gentle suggestion, hope you can consider it.
Sincerely
Jonathan Yang
Hugo
Hi there,
Thanks for your suggestion, we may consider this in the future product development.
FYI, up to the Form itself, there are already multiple layers of permission control and checking in place.
1. Userview itself
2. Userview category
3. Form itself
4. Form section
Thanks
Hugo
Jonathan Yang
Hi :
I tried to use other column to be the parameter, but it just showed a new application form. It seems Joget can only accept id to be the parameter.
Thank you.
Best Regards
Jonathan Yang
Hugo
Hi Jonathan,
You will need to make the appropriate changes to the source code first if you want to implement your extra checking logic. You may start with FormMenu.java. Please see https://github.com/jogetworkflow/jw-community/blob/3.1-SNAPSHOT/wflow-core/src/main/java/org/joget/apps/userview/lib/FormMenu.java
Good luck.