How to prevent user from editing someone else's custom data?

Marcel Guldemond asked on April 25, 2017 17:10

Scenario: the site has 2 types of users (Employers and Applicants), in addition to standard global admins and site admins. Each type of user has extended data stored in a custom table (EmployerInfo and ApplicantInfo), with the user's id stored in each record. Each user needs to be able to edit their own data.

Question 1: Is it ok to preload the form with the User's data by adjusting the querystring by adding itemid=<itemid of the user's custom table record> (this seems to work in initial testing) The link to get there would probably have to run some javascript that's set up by a macro in the referring page.

Question 2: how do we apply some security so users can only edit the record that has their id stored in it? The above method would allow any user with the same role to manually edit the querystring and pull up any other custom data record.

Correct Answer

Brenden Kehren answered on April 25, 2017 17:34

Out of the box, when you create a custom table it will create 4 fields for when the record was created and who created it, as well as when the record was updated and who updated it.

ItemCreatedWhen
ItemCreatedBy
ItemModifiedWhen
ItemModifiedBy

You can perform a check on any of those fields if you want. The simple solution would be to place a macro in the enabled property of the fields. You can find the enabled condition in the Field advanced settings when you select a field in your custom table.

So say you have a field called Name. In the Enabled condition you enter ItemCreatedBy.Value == CurrentUser.UserID || ItemCreatedBy.Value <= 0 So now when the form loads if the user who created it is the one editing it, it will allow them to edit it. The <= 0 comparison is for inserts so the field is enabled.

1 votesVote for this answer Unmark Correct answer