I have a page as under:
What I want to do is: each user can see its own staff page
When customer click on the link "Create" in Staff Column, it shows the staff page. I want to add authorization to check if the user already login in the system is the same one who is on the row of link "Create" then Give access to staff page.
For example:
if the user login is "Joanne" then he can see the staff page of itself.
if the user is someone else and click on the "Create" link in the row of Joanne then it doesn't access to user to go to the staff page.
It means each user can see its own staff page. I don't know how to access the page items in the Shared Components/Authorization Schemes.
Please help
Thanks Mali
If table (which is source of that report) contains username everyone uses to log on to the application (for example, JATKINS for Joanne), then you could display/hide "Create" link in the query. For example:
select id,
first_name,
family_name,
--
case when username = :APP_USER then 'Create'
else null
end create_link
from the_table
It means that everyone sees the "Create" link only by their own name.
create_link column's type would be "Link" and you'd set it to navigate to another page, passing the ID (or whichever info you pass).
Related
Since my 2 post about the LDAP Authentication (first post, second post), we created our own custom authentication scheme and function to connect to the application using our Active Directory credentials.
We can successfully log in the application. However, we have a second function which retrieves the group of the user in the AD. Here's the code when I'm trying to retrieve the group into a Text Field (P1_GROUP) :
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => 'thepassword')
As you can see, this is working, because the password is in static text. This leads me to my main question :
How to retrieve the user's password in Oracle Apex, and what is the most secure way ?
I tried to set a Branch or a Process in the Log-In page while redirecting the user's the the home page, and Set Value of the :P9999_PASSWORD field to the home page text field P1_PWD.
So, I tried to adapt my code with the text field
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => :P1_PWD)
Unfortunately, this doesn't seems secure because the password would be visible in the HTML code of the page (right click + inspect and there it is. Moreover, sometimes it gives me an error
Error computing item source value for page item P1_GROUP
It seems like the application cannot execute the function because the password is still not initialized.
Is there a way to retrieve :P9999_PASSWORD or to transfer it from the login page to a global variable/global page or a text field ? Or is there a function to retrieve the current user's password ?
Thank you again for your time, do not hesitate to ask for more details as this is a very specific case,
Thomas
I don't think your approach is correct. Ideally, even an administrator of your system should not be able to decrypt a user's passwords; they should be stored as hashes.
You're trying to look up the user's group memberships? You don't need the user's own credentials to do that. Use a dedicated account that has access to your Active Directory system and store that password encrypted in your database. Use that account to search for and look up the user's group memberships. That way, even if your system is compromised, only that account is exposed.
Thank you all for your answers and your advices on my case, and for taking the time to help.
We found a solution that we think is reliable, here's what we did if that could help other people.
We created a global variable G_GROUP, which will receive the group of the user
On the login page, we created a process before the login process.
Set the Source of the Process to PL/SQL Code :
:G_GROUP := pdbadmin.ldap_get_group_apex_from_user( --our custom function to retrieve groups
p_username => :P9999_USERNAME,
p_password => :P9999_PASSWORD); -- the function get the username and password in the fields
If i want to display the group of the user in the main page, let's create a Text Field P1_GROUP which as for Source the PL/SQL Expression :G_GROUP
Our group is initialized, and the password is not shown in any field.
Let me know what you think about it, and if you guys think this could be improved.
The field "from" returns nothing in this query:
https://graph.facebook.com/v3.2/(page id)?fields=posts{comments{message,created_time,from}}&access_token=(page access token)
The other fields return what I expect.
I'm administrator of the page but I haven't submitted my app for review because according to this page I don't have too, or am I wrong?
From the page:
Does not require App Review.
Grants your app access to the default fields of the User object that
are a subset of a person's public profile:
id
first_name
last_name
middle_name
name
name_format
picture
short_name
Or is there anything else I could have done wrong?
Without authorization, you cannot get any user specific data anymore, no matter if you own the Page in question. You can only get data like the message or the link to facebook.com.
I am building an APEX 5 Application for a school. There is a page called "Course Information" and it includes several Classic Reports with information such as the class roster and testing schedule. I want to include a report with grades but I only want this region to be viewable by the teacher of the course. If I can get a hidden item on the page to be filled with the username of the teacher, can I build an authorization scheme that checks APP_USER against this item and only show the region if they match?
How would I accomplish this?
I would go about this slightly differently, and wouldn't use an Authorization Scheme for this particular requirement.
Base the report on a view which has the teacher's username as one of the columns. Put a where clause in the report SQL, e.g. select col1, col2, col3 from the_view where teacher_username = :APP_USER.
Put a Condition on the region using Rows returned based on something like select 1 from the_view where teacher_username = :APP_USER.
This way, the report region will only be rendered if the user is allowed to view the records in it.
The simplest option is to use server side condition, a function that returns Boolean, for that region. Just put
return :APP_USER = 'YOUR_TEACHER';
in there. Region will render only for your teacher. Of course, 'YOUR_TEACHER' should be substituted with his real username.
In my application I have an administrator who can create Tournament objects. When the object is created the service also creates a user (based on the tournament director's info which was entered at creation). The username for the user is the director's e-mail, the password is randomly generated and then mailed to the director.
When the director logs on with his e-mail address and password, I need to be able to link him to his own tournament, in order to only allow him to edit his own tournament's details. I have tried to find a way to store the TournamentId in the default ASP Net Users database, but was unsuccessful.
I had a look at this SO question which would certainly help me, but I can't figure out how it would apply to my problem. When the user logs on, I can't put the TournamentId in the userdata seeing as I don't know it.
Should I then do a lookup in the Tournament table to see which ID corresponds to the email address entered at login and store that in the userData? It seems quite unelegant this way.
I guess you should have a CreatedBy column in your Tournament table where you store the ID of the user who created the tournament. Then when the user logged in, get his id ( may be from session ,if you store it there), Do a select query where CreatedBy=loggedInUserId .That should do the trick.
I have a page for editing product details. I want to restrict that only one user can edit the product page. When a new user opens it while there is a current user editing it, I would like to place some notification then automatically make it available once the current user leaves the page. Any suggestion on how I should approach this?
I would recommend just letting them both edit at the same time.
If you want to notify the last person to save their document, then you can add a "version" column to the database.
Upon saving, you would check the version column, to ensure that the row had not been changed. If it had been changed, you would notify the user at that point.
If i understand you question correctly it sounds like you need to know about database concurrency,
Here are a couple of articles:
MSDN
Ironspeed
Now if you are asking how to authorize only a single user to edit records then you would need to look at roles and aloow say only admins to edit records.
you can have optimistic lock on your record while it is in edit mode , once it is saved make that record avaliable for other user.
Try something like this:
Create a table something like userAccess with IsAccessColumn
if user 1 access edit page set isAccess to True
So the second user will not access the edit page if records is set to true.
Then Set to False if user 1 finally edited the record
After that user 2 can now open edit page.
Regards