Added "View Details" button on form next to print/pdf/ -> Security Issue: can view any user's record

[Basdub]

Wow really didn't know how to put that in a short sentence.

I have a form that load with the key setting to -1 and key name to my "user_id" field to load the record of the current user.

I added, in my template, a button to show a detail view of the record. The only way to do this, that I've found so far, was to add rowid='the current logged in user corresponding rowid' in the request like this:

myweb/index.php?option=com_fabrik&tmpl=fabrik_details_general&view=details&formid=1&layout=sdc_details_general&rowid=3

the tmpl is a component template.

Once the page is loaded, I can simply change the rowid value in the address bar of my browser and view the record of any other user.

Is there a way I could load the data somewhere using rowid for currently logged in user. In other word, once the default.php file of my details view template is reached, the form and the data is already loaded. Could I prevent that and/or replace it with the appropriate rowid that is not changeable on the client side?

 

[kinkaz]

Hi,

Have you thought of preventing the form to load if rowid != user logged in id ? I'd use a php plugin which would happend "onBeforeLoad" :

1) Compare rowid with the the user's logged in id
2) If they're not the same, the form isn't loaded and you display an error message

 

[troester]

It's the principle of Joomla (and not only Joomla I think) that you can call everything via URL.

So if you have a J! article containing internal info and called by a menu item only accessible to superdamins everybody can read this article (via URL by guessing the article ID) as long as you don't set article access to e.g. superadmin.
Or everybody can call a menu item directly even if the menu (modul) itselfs is hidden or displayed only to admins.

Same with Fabrik:
everybody can call any list/record via URL.
It's up to you to set the correct list access settings and prefilters.
So add a list prefilter user_id(raw) EQUALS {$my->id} and list access settings as you need.

The details view can be called the same way as the form:
myweb/index.php?option=com_fabrik&tmpl=fabrik_details_general&view=details&formid=1&layout=sdc_details_general&rowid=-1&usekey=user_id

 

[Basdub]

Great ideas, I will give it a shot.
I'll experiment with the access settings and prefilters.
I also like the php onBeforeLoad approach, it is less obvious from the client.

I wasn't sure about the rowid=-1 and usekey=user_id. I prefer an approach so that no matter what the user tries, he will only see his record.

Thanks

 

[Basdub]

Well, I've learned a few things today. I've come to have a better understanding of the access of forms and details. I had set the list edit access to user_id and got the behavior mentioned above.

What happened is that I was now logged in as Superuser. and
form->checkAccessFromListSettings(); returned "granted" for superuser.

With a regular registered user, i wasn't able to access other records.

After finding this comment in form.php:

/*
* $$$ hugh - need to call this here as we set $this->editable here, which is needed by some plugins
* hmmmm, this means that getData() is being called from checkAccessFromListSettings(),
* so plugins running onBeforeLoad will have to unset($formModel->_data) if they want to
* do something funky like change the rowid being loaded. Not a huge problem, but caught me out
* when a custom PHP onBeforeLoad plugin I'd written for a client suddenly broke.
*/

.... inside the render() function, I gave it a shot at deleting $formModel->data and even more is required like deleting $formModel->query and setting $formModel->setRowId(newRowId);

I still couldn't pass the form->checkAccessFromListSettings();

I have stopped there for the moment.

 

[troester]

Not sure what you are trying to do.
All access settings can be handled by setting list access and prefilters.

You may add addional access levels to Joomla to get some more possibilities to grant access/ apply prefilters.
I usually have an access level "nobody" (assigned to no user group) and superadmin and no-superadmin.
But this is Joomla ACL, nothing Fabrik specific.