Orbeon Forms community mailing list

Passing parameters protecting form

Classic

List

Threaded

5 messages Options

igor.pascual

Passing parameters protecting form

Hi,

We have an application A under context A.
After login the user succesfully in application A, the application redirects to an orbeon form passing parameters with info about the user logged in.
https://xxx/orbeon/fr/test/testparameter/new?control-1=xxx&control-2=yyy

The orbeon application is installed under context B. The orbeon form receives these parameters and autofills some input fields.
These fields are read only.

We need to "protect" the form, this is, nobody can fill the form without loging in application A.
If we write the URL ,
https://xxx/orbeon/fr/test/testparameter/new?control-1=xxx&control-2=yyy
we can access the form and fills some fields modyfing the request parameters. We must avoid this.

How can we achieved this?
Thanks in advance

Best regards, Igor

Alessandro Vernet

Re: Passing parameters protecting form

Administrator

Hi Igor,

There are many way to do this. One would be for your app, instead of passing those values to the form, to store them somewhere (e.g. in a database) associated with a token, and to pass that token to the form. Then the form calls a service you create that returns the data based on the token. This way, also, the user can't change the data. And if you don't want the user to be able to open that page multiple times, your service can remove the data from the database.

Alex

On Mon, Jun 1, 2015 at 11:35 PM, igor.pascual <[hidden email]> wrote:

Hi,

We have an application A under context A.
After login the user succesfully in application A, the application redirects
to an orbeon form passing parameters with info about the user logged in.
https://xxx/orbeon/fr/test/testparameter/new?control-1=xxx&control-2=yyy

The orbeon application is installed under context B. The orbeon form
receives these parameters and autofills some input fields.
These fields are read only.

We need to "protect" the form, this is, nobody can fill the form without
loging in application A.
If we write the URL ,
https://xxx/orbeon/fr/test/testparameter/new?control-1=xxx&control-2=yyy
we can access the form and fills some fields modyfing the request
parameters. We must avoid this.

How can we achieved this?
Thanks in advance

Best regards, Igor

--
View this message in context: http://discuss.orbeon.com/Passing-parameters-protecting-form-tp4660017.html
Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet

igor.pascual

Re: Passing parameters protecting form

Hi Alex

Thank you very much for your response.

Is there any other way of doing without programming (only using the form builder)?

We have tried to pass to the form another parameter that is a hash obtained of joining the value of the parameters.
The form has an invisible input field that calculates the hash and compare it with the hash obtained in the parameter.
If the hash obtained is not the same that the hash received, it implies that the parameters have been modified, and the form should not be sent.
The problem is that the input field is not visible and therefore the restriction is not applied… is there any workaround?

Thanks in advance

Best regards, Igor

Alessandro Vernet

Re: Passing parameters protecting form

Administrator

Hi Igor,

Maybe you could make the field visible if the validation fails. It would maybe look a little weird (why do I suddenly have this field showing up?), but it would happen only if users fiddled with the request parameters, which shouldn't happen. (And if that bothers you, you could hide the input field with CSS.)

Alex

On Wed, Jun 3, 2015 at 1:20 AM, igor.pascual <[hidden email]> wrote:

Hi Alex

Thank you very much for your response.

Is there any other way of doing without programming (only using the form
builder)?

We have tried to pass to the form another parameter that is a hash obtained
of joining the value of the parameters.
The form has an invisible input field that calculates the hash and compare
it with the hash obtained in the parameter.
If the hash obtained is not the same that the hash received, it implies that
the parameters have been modified, and the form should not be sent.
The problem is that the input field is not visible and therefore the
restriction is not applied… is there any workaround?

Thanks in advance

Best regards, Igor

--
View this message in context: http://discuss.orbeon.com/Passing-parameters-protecting-form-tp4660017p4660027.html

Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet

igor.pascual

Re: Passing parameters protecting form

Hi Alex

Thank you very much for your response

It has been very useful

We have modified the HTML for using css (style="visibility:hidden;") and the solution now works !!

Thanks !

Best regards, Igor