Help! How to mask fabrik form/record ID in URL

[libuyi2008]

Hello, thank you for the forums, I really learned a lot.
I have a new question. I want to send each customer a url of a form with their own information respectively, then they will input other field, and submit. The url is automatically generated like www.xxx/form/29/{tablename___id} e.g, url is like www.xxxx/form/29/11. This kind of url is very easy to change the last number "11" to other number, and will see other customers information. Could I use other unique field (e.g., random number) to replace the prime key "tablename___id" in url?

Thank you in advance.

Best regards

 

[cheesegrits]

Are you talking about authenticated J! users, so they have to be logged in to see the form?

-- hugh

 

[libuyi2008]

It is not about authenticated J! users or access level. I am talking about how to make url not so "simple". I preload some information in the form/record, so I want only the customer who receive email with url can edit and submit his form. For example, if I send customer a url like www.xxxx/form/29/11, if he change this url to www.xxxx/form/29/10, he will see another customer's record. I want url become "complex" enough to prevent prying eyes. Have any idea about ?complex? url?

 

[troester]

Everybody can edit URLs and have access to list and list records if you don't set list access levels and/or prefilters.
Even if you create a "complex" URL (you can by using "usekey" and e.g. a hash value) you can access the data via a simple URL.

So if your customers are Joomla users the easiest way is to add a prefilter showing only "own" records to the user.

 

[cheesegrits]

Exactly what Troester said. Which is why I asked if we are talking about authenticated users. If you are, you can set list ACLs and pre-filters to prevent anyone accessing records they shouldn't. As Troester says, even if you set up some less obvious URL, it doesn't remove the ability of anyone to add ?option=com_fabrik&view-details&rowid=123 to your site URL and see whatever they want. That's just how Joomla components and the extensions routing works, and is public knowledge - anyone who has ever used Fabrik knows the URL format. Same way anyone can see any article on J! they have access to by appending option=com_content&view=article&id=123, whether you have them visible on a menu or not ... if you haven't protected it with actual enforceable authentication.

It is possible to implement a 'token' type system for guest users, by rolling your own code with plugins. On submission, create a unique token (random string) and store it in an element on the form. Add that to the URL you send in email. And in a form load plugin, when they hit your URL (with the rowid=X&token=ch75hfg64) take the rowid, lookup the coresponding token for that row in the database, and make sure they match. But that's a couple of hours work. If your users are authenticating, you can do it with a pre-filter and an ACL in 10 seconds.

-- hugh

 

[libuyi2008]

I think I need the 'token' type system for guest users. I know how to get random string in field element, but I don't know about "And in a form load plugin, when they hit your URL (with the rowid=X&token=ch75hfg64) take the rowid, lookup the coresponding token for that row in the database, and make sure they match." Are there such form load plugin in fabrik?

Best regards

 

[startpoint]

http://fabrikar.com/forums/index.php?wiki/php-form-plugin/

 

[libuyi2008]

I don't know Code very much. I draft a small php code in php plugin, but it doesn't work. The fabrik component is blank, other page modules are ok.

I think the url should be like this, adding &token= after rowid=8 (Am I right?)

http://localhost/kkk/index.php?option=com_fabrik&task=form.view&formid=29&rowid=8&token= kCzJbtwv6p

Process script is onload, php file is none selected, require once is none.

I assume the field name of random string is "token", PK name is "id".

php code is:
<?php
$id = $_GET['rowid'];
$token = $mysql_query("SELECT token FROM tablename WHERE id=$id");
if($token == $_GET['token']){
$formModel->data;
}
?>
Pls help me to correct the php code. Thank you in advance.

Best regards

 

[cheesegrits]

We dont really do custom coding in Standard support, that's Pro level support.

Try this, but if you need more support, you'll need to bump up to Pro.

$app = JFactory::getApplication();
$token = $app->input->get('token');
if (!empty($token)) {
   $rowid = $this->getRowId();
   $myDb = JFactory::getDbo();
   $myQuery = $myDb->getQuery(true);
   $myQuery->select('token')->from('tablename')->where('id = ' . $myDb->quote($rowid));
   $myDb->setQuery($myQuery);
   $dbToken = $myDb->loadResult();
   if ($dbToken == $token) {
      return true;
   }
}
$app->enqueueMessage("Go away!");
return false;

-- hugh

 

[startpoint]

Change

$app = JFactory->getApplication();

to

$app = JFactory::getApplication();

 

[cheesegrits]

Ooops, yeah. That's the problem with writing code off the top of my head in the forum editor. If I did that in PHP Storm, it would flag it as an error as I wrote it.

I edited the post to correct it.

Thanks for spotting that.

-- hugh