I have a question about passing parameters from report datapages. I have a gallery datapage that allows users to select a project to work on. There is a link attached to each project, which passes the project ID as a query string. It works. The gallery is filtered so users only see projects that they have permission to access.
However, this means that the project ID is visible. I think this hampers security - if someone else saw this project ID then they could potentially use it to log into a project that they don't have permission to access.
I think my options are:
Have the gallery datapage pass through to a new submission datapage, and use a secondary code as the query string (not the main project ID). The submission datapage then ensures that the user has permission to access the project (checking on a Match table), and if so passes them through to the main project page, passing the Project ID through as an internal parameter. This way the project ID is kept secure, and only users with correct permissions can access the project. However, it's a bit fiddly, uses an extra data page, and I still reveal the secondary code to users.
Convert my gallery datapage to a submission page, so that the project ID is passed internally. However I then lose all the benefits of having a gallery report... I can use a cascading dropdown for users to select projects, but I can't show additional project details for each of the projects.
You can post now and register later.
If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.
Question
oliverk
Hello
I have a question about passing parameters from report datapages. I have a gallery datapage that allows users to select a project to work on. There is a link attached to each project, which passes the project ID as a query string. It works. The gallery is filtered so users only see projects that they have permission to access.
However, this means that the project ID is visible. I think this hampers security - if someone else saw this project ID then they could potentially use it to log into a project that they don't have permission to access.
I think my options are:
Does anyone have any thoughts?
Many thanks!
Link to comment
Share on other sites
8 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.