Form Runner User Access Control

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

I had a similar requirement for a rails project using orbeon. My
application represents the persistence layer for orbeon
(http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/persistence-api)
while acting as a proxy to the orbeon server (that is only accessible
from my application server, not the internet). An example request:

1. GET /forms/123
2. Application checks permissions for current_user on form 123
3. Application requests Orbeon for the HTML representation of the form
4. Application sends HTML representation back to the client
5. All static files (images, css, js) and xforms-server request is
proxied through the application on apache level through ProxyPath
directive

2011/8/5 Andrew J. Kallenbach <[hidden email]>:

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Andy,

I am not sure if that helps, but we have recently implemented
role-based permissions in Form Builder and Form Runner.

http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/access-control#TOC-With-Orbeon-Forms-3.10

But here you are saying you don't want to use roles?

-Erik

On Fri, Aug 5, 2011 at 2:51 PM, Andrew J. Kallenbach
<[hidden email]> wrote:

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Yeah, roles alone are no good.

By using roles rather than users to control access, it is impossible to restrict access to the originator of the form. You can either edit all the forms, or you can edit none.

It doesn't look like Orbeon has any way to grant access to the originator of a form without also granting that same access to all the forms.

I hope I'm wrong, because I was counting on allowing users to edit and delete their own forms.

Has anyone configured or extended Form Runner to use user-based access control?

Lyle,

You're not wrong, there is no user-based access control at the moment.
It would be really good to have of course.

-Erik

On Wed, Feb 29, 2012 at 8:07 AM, Lyle Sidor <[hidden email]> wrote:

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

A suitable alternative may be to allow all users to see the new page and the edit page, but restrict the summary page so that either nobody, or only a certain group of users can see it. I believe Orbeon already supports this.

However,  currently the user cannot see his edit page unless he can see the summary page.

If the "Save" button simply redirected to the edit page after a successful save then the user could bookmark it and come back to it via the bookmark. And nobody else would be able to know of its existence unless they were sent the URL or could see the summary page.

This seems like it should be extremely easy to implement via a simple change to the Form Runner code.
Or could it even be implemented right in the form definition with a custom save button that does the re-direct to the edit URL?

> If the "Save" button simply redirected to the edit page after a successful
> save then the user could bookmark it and come back to it via the bookmark.
> And nobody else would be able to know of its existence unless they were sent
> the URL or could see the summary page.

> This seems like it should be extremely easy to implement via a simple change
> to the Form Runner code.
> Or could it even be implemented right in the form definition with a custom
> save button that does the re-direct to the edit URL?

This is the case already, for browsers which support replaceState (NOT
IE 6/7/8/9, curse Microsoft): as soon as you save, the URL bar of the
browser shows the edit URL. A redirect could be done too, but would
reload the page from the server.

-Erik


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Quick follow-up: I wonder if the following could be used to add
support for the history API for IE:

https://github.com/balupton/history.js

-Erik

On Mon, Jul 2, 2012 at 11:27 PM, Erik Bruchez <[hidden email]> wrote:

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Firefox (Linux and Windows) always shows the original "new" URL in the address bar after a successful save. I've never seen the "edit" URL after a successful save no matter what browser I've been using.

How can I redirect to the edit URL after a successful save?

It turns out this was added post-3.9:

https://github.com/orbeon/orbeon-forms/commit/5dbcc3cf624f8004596f7926ecdf260a69706676

You could backport that to your build maybe.

For a full redirect, you could use instead the xforms:load action there.

-Erik

On Tue, Jul 3, 2012 at 6:40 AM, Lyle Sidor <[hidden email]> wrote:

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws