Hide rowid from URL

[Barcellos]

Hello, Guys!

Is there a way to hide the rowid from URL, to avoid user to change de number and see the data of another user?

I can't use prefilter by username because I am working with subforms.

Explaining:

• I have a main form, with general information about the student.
• Linked to this form, I have 4 other forms, connected by an element (databasejoin).
  
• I have a prefilter by data from LDAP (username) just in the first form.
  
• I don't have elements which I can filter from LDAP (name, username) in the 4 other forms.
  
• The other forms are just available from the links in the first list, which is prefiltered by user.

I would appreciate any help.

Thanks, Ana

Joomla 3.5.1
Fabrik updated from Git

 

[cheesegrits]

You have to pass the rowid, otherwise obviously we have no way of knowing which row you want to load.

And if there's nothing in those other forms that uniquely identifies the user, then there's no way to implement any kind of access control.

-- hugh

 

[Barcellos]

Thanks, Cheesegrits! Yes, we need the rowid. I was just wondering if there was a way to build the url. (I am so optimistic)
I found something similar here: http://fabrikar.com/forums/index.php?threads/remove-rowid-from-url.29993/#post-224531 but I could not find a way to do it in my forms (it is an old solution that I am migrating now).
I think I will need to change the structure of the forms. Good luck for me

 

[Bauer]

I'm trying to figure out and vision what you are doing here. A screen shot of the list and links would help.

Why can't you just add a user_id field in the other 4 forms and create a hidden menu item (Fabrik form) to each of these forms? - and in the menu configuration, specify that it use that user_id value for validation against the current userID? (That user_id field doesn't have to be a user element - it can just be a standard field element that gets populated with the user_id that it 'belongs to').

Or you can use session user state variables to track the id of each form that 'belongs' to the user - then check as the form is rendered that the id is the same as the id stored as the user state variable, and if not redirect with a system message warning. https://docs.joomla.org/How_to_use_user_state_variables

 

[Barcellos]

Thank you for your help, Bauer!! The problem here is that the form is not submmited by the students themself, but by their coaches, so I cant record the information automatically.
I'm not able to upload files since yesterday. It returns: "There was a problem uploading your file." I tried to add small file (9,8kb) png or jpg but it didnt work. So sorry for not providing images.
I am trying to use the autofill plugin to bring the information from the other form and try to prefilter it. But I am facing several different errors. Working to fix all of them to test if the solution works. Autofill is working but I am having problems as "you dont have permission to add a new element to this list" and databasejoin element not saving the data parameters.

 

[Bauer]

There's all sorts of things that be wrong with folder/file permissions.

At the list level...
Is the list set to allow changes to the file structure? (Details - Advanced - Alter field types)
In the 'Access' section are all the permission levels set correctly?

How about the 'Access' levels in the Group, Form, Element, or Menu configuration?

I'm not sure of this particular setup - but I've come across instances where a file upload is rejected because - even though the file is of the 'allowed' file type - it was rejected because the file extension was all caps. (In the php code, the array of accepted file extensions was only checking for and accepting files where the acceptable file extension was lowercase). The error message will just say 'Invalid file' but not give you a clue to the real cause in that case. That's really a bug in the code if that is happening - but changing the extension to lowercase is a way to verify that such a bug exists.

Also the location where the file upload is being stored needs to have the proper permissions at the server level. Could that be the problem?
A few weeks ago I ran into/discovered a weird situation with folder/file permission at my host provider because the 'owner' of certain folders was not the same owner as for Joomla. (That was because I had created the folder via ftp/Filezilla while I was logged on as a different user.) If you use ftp to transfer files manually, especially if you create a new folder/file, you should always be sure to log in as the same user as is used by Joomla.

 

[coullet]

you can pre filter with a query

in your child form, you have an element that link it to the main, a kind of main_form_id?
So filter in child form can be

where main_form_id in (select id from main_form where user_id={$my->id}

 

[Barcellos]

As people use to say: to solve a problem, keep distance for some time and then maybe you can see clear what you could not see before. That's what happened on this topic. First of all, thank you to everyone who helped me to reach the solution: @cheesegrits @Bauer and @coullet many thanks! You are great! The solution was on your anwers (prefilter) but I could not realize how to do it when I need different behaviors for students (registered) and teachers (registered/teacher) without copying each list. Your answers helped me also to stop wasting time with other solution besides prefilter.

I prefiltered the main list and the 4 lists with data connection like this:

name / EQUALS / return '{$my->name}'; / registered (eval)
OR id / GREATER THAN OR EQUAL / 1 / teacher (this is what I added now).​

OR

name / EQUALS / return '{$my->name}'; / registered (eval)
OR name-teacher / EQUALS / return '{$my->name}'; / teacher (this is what I added now).​

Now the students can see just their own data when they open the connected data from the list (not from a menu). Even if they change the id in the url, it has no effect. In the first example, the teacher can still change the id and see information of other students, in case they need to replace another teacher. In the second, teachers cannot see the others' students.

I was so obseced with that "name" field that I could not think of using another one. That's what happens when you are not a programmer: you can't think like one - and it is very easy do get some obsession.

Did I say that I love Fabrik before? Yes, many times, but I want to say it again!