• Hello Fabrik Community

    Fabrik is now in the hands of the development team that brought you Fabrik for Joomla 4. We have recently transitioned the Fabrik site over to a new server and are busy trying to clean it up. We have upgraded the site to Joomla 4 and are running the latest version of Fabrik 4. We have also upgraded the Xenforo forum software to the latest version. Many of the widgets you might have been used to on the forum are no longer operational, many abandoned by the developers. We hope to bring back some of the important ones as we have time.

    Exciting times to be sure.

    The Fabrik 4.0 Official release is now available. In addition, the Fabrik codebase is now available in a public repository. See the notices about these in the announcements section

    We wish to shout out a very big Thank You to all of you who have made donations. They have really helped. But we can always use more...wink..wink..

    Also a big Thank You to those of you who have been assisting others in the forum. This takes a very big burden off of us as we work on bugs, the website and the future of Fabrik.

Hide row id in url

sogescomputer

New Member
Hi,

I've a list of employees and at the endo of row I have a custom button with this php code:

$app = JFactory::getApplication();
$ids = $app->input->get('ids', array(), 'array');
$id = array_shift($ids);
$app->redirect('index.php?option=com_fabrik&view=form&formid=13&rowid=' . $id);

with $id I have to edit another form : it works but I can avoid to show row id in url to users.

How can I avoid this?

thanks
 

Attachments

  • screenshot.png
    screenshot.png
    4.5 KB · Views: 137
You can't. You have to provide the rowid, otherwise we have no way of knowing what row you want to load.

The only possible alternative is to use some other unique identifier as the key. So if (say) you had a field with their email, or their J! username, you could use something like &usekey=username&rowid=hugh, or &usekey=email&rowid=hugh.test@test.test. But that's probably even worse than having a rowid.

What troubles you about having the rowid on the URL? If it's a security issue, remember that when that form loads, the row id is going to be exposed in the source of the page anyway, as the form has to know the rowid in order to submit it correctly.

-- hugh
 
You can enforce per user access controls by adding a user element, and setting the edit access in the list access settings to "use field" with that element.



Sent from my HTC 10 using Tapatalk
 
I too would like to something like this and think i have a legit use-case for it. like this poster, i would like the 'public'/non-logged on user to be able to edit just their own record. so stopping it at the fabrik access control isn't possible for this use-case.

my specific use case is that a guest can edit their contact info if they know the email and arrival date of their reservation. the chances of someone being able to guess that combination en-masse would be remote or none.

i have a form (call it form 1) where they type this info and it looks up the rowid. then it redirects to the form (call it form 2) that allows the editing of that record. the issue is the 'rowid=xxxx' is right there in the url visible in the browser (and if not, in the source or DOM) so someone could change the number by one and probably hit another one if they knew just a little about urls and had ill intent.

In my case, i don't want my guests to have to create a userid on my system (one more userid and password to remember) in order to be able to access it... i have deteremined that knowing their email and arrival date is their 'password'... and by having that they should be able to edit just that record is what i'm after. And this is just their contact info, not cc or payment info or anything sensitive. so i'm mainly interested in a competitor gaining read access to my customer list, or even being able the change it.

So how about this approach... on form 1, i pass the email and arrival date as 2 more parameters when i call form 2. then on form 2, i have a onLoad form plugin that checks the email and arrival and rowid passed in, and if they aren't a match. displays an 'unauthorized' message. so the only way to display form 2 (which allows public editing) is by passing a email and arrival date that match the rowid.

if i would do that, i don't think users would be able to use form 2 at all without passing in the right combination of variables which is more complicated than just a rowid (that most likely be sequential, so easily guessed).

sound right?
 
Last edited:
If it's useful to others (and for any hole-poking), i implemented the approach above and it seems to meet my needs for this use-case. I am no security expert, but it's definitely more secure than it was before and i can't think of an easy way to hack it.

my overall approach was to put in a php form plugin that runs 'onLoad' on the form that allows public editing. the plugin runs various checks for legitimacy and dies if it doesn't like what it sees. this happens before the fabrik access control takes over, so it allows me to provide access to form data for public/non-logged-on users with control over giving access.

the simplist example of my approach would be to add (to an onLoad form plugin) just this:
// don't allow access directly by typing in url
if (!isset($_SERVER['HTTP_REFERER'])) die ('not authorized');
// only allow access that is redirected from a url that is expected
if ($_SERVER['HTTP_REFERER'] !='https://www.domain.com/expectedurl')) die ('not authorized');

the first keeps the form from being executed by directly typing it. the 2nd requires it to arrive from a specific other form which seems hard to fake.

in my own form, as a 3rd check, i go on to check that other parameters have been passed in addition to rowid, and also that they have been specified correctly by the calling form/link. then i fail/die if the rowid and the other data passed in doesn't check out. so that data essentially is a password to the row that the user can edit. in my case id you know the email and arrival date of the record, you are allowed to edit it.
 
Last edited:
You can also (or additionally) add a list prefilter (eval) with php code checking the URL parameter(s).
I did this with an element storing a hash code and so allowing Guest users to edit their "own" record (contact infos for a newsletter) if the URL contains the hash parameter (provided in a link in the email).
 
We are in need of some funding.
More details.

Thank you.

Members online

Back
Top