Label not displayed when setting value of dbjoin using URL

[rackem]

I use a URL to set the value for a dbjoin element in a form when creating a new record. However, the dbjoin does not display the anything when the form loads. I expect to see the label for the value I have set.

The value is being set properly because it is recorded to the database and the label is correct when I edit the record.

Here is the URL in use:

index.php?option=com_fabrik&view=form&formid=16&mps_votes___player_raw={mps_players___id}

The URL is correct, it just seems that the dbjoin element display is not filled in. This was working before migrating from F2.5 without "_raw". So I have tried it both with and without "_raw".

 

[cheesegrits]

Looking at this now.

-- hugh

 

[cheesegrits]

Hmmm, seems to work for me:

http://screencast.com/t/DSSNyldHLg

... with the latest 3.1 github.

I tried accessing your My Sites site, with that query string you gave above, but none of my logins for your site seem to have access, I get "not authorized to add that resource".

-- hugh

 

[rackem]

Ah, sorry, that is a back end admin login only. I added a front end login to My Sites.

I updated from joomla3 GitHub earlier today and it still displays the reported issue. Perhaps the difference is in ACL? The form view access on the element is set to Nobody.

 

[cheesegrits]

Ah, OK, yes. With Form View access set to 'Nobody' ... that probably is the issue ... it's not falling back to the read only ACL ... testing on my setup now.

-- hugh

 

[cheesegrits]

Hmmm. This is an interesting issue. It really is debatable whether it should even work the way it is at the moment, with user having no edit access. Really, we shouldn't save that value passed in the query string with the form, as well as not displaying it, and I'm not entirely sure why we are - really, it's a security hole.

What I'm working on is a way of doing it with the query string, but not directly. Rather, by using an eval'ed default on the join element, which looks for a specific query string arg (but NOT the usual full element name). Even elements where the user has no edit access should be settable to a default, as it requires you (the backend admin) to specifically allow it, by adding the default code.

I'm running in to a few issues along the way, so may not have a solution today. But I'm working on it.

-- hugh

 

[cheesegrits]

OK, I have a fix locally which will allow you to default the player ID to a query string value, and will correctly show the label when displaying the form, even with the logged on user not having 'write' access.

I'm not going to commit it just yet, as I'm trying to work out (and fix) how come we are allowing a query string variable to actually be saved with the form, when the user doesn't have the ACL permission to edit it.

The fix for that will probably mean that you'll have to use some other query string arg, not the full element name. So something like '&this_player_id={mps_players___id}. Then in the default for that join element, you'd do:

$app = JFactory::getApplication();
return $app->input->get('this_player_id', '');

This would allow you to default a read-only element in a new form to value passed on the query string, without violating ACL's (i.e. without relying on our built in &table___element=foo way of setting values using the normal full element name), which is what seems to be happening at the moment.

Anyway, just letting you know I'm making progress, but it'll be at least tomorrow before I have anything you can use.

-- hugh

 

[rackem]

Thanks for the update and thorough explanation Hugh. I will plan on updating my site with what you come up with. The approach you describe sounds very reasonable.

 

[cheesegrits]

OK, I'm going to commit the change I have, which will allow you to do the eval'ed default thing.

For the element ACL thing, I've raised a github issue for Rob:

https://github.com/Fabrik/fabrik/issues/811

-- hugh

 

[cheesegrits]

OK, I committed that change so you should now be able to do the eval'ed default thing, using the example code I gave you. Just don't use the full element name as the query string arg.

-- hugh

 

[rackem]

OK, got it working just like you said. Thanks!

I also updated this section of the wiki: http://fabrikar.com/forums/index.php?wiki/forms/#setting-field-data-on-form-load

Just to note again, my original setup was done in F3 and was working there. So from the security side, whatever fix Rob comes up with should be applied there as well.

 

[cheesegrits]

What's odd is, this issue should be fixed. I'd forgotten I'd fixed the exact same issue in 3.0 a few weeks ago, and ported the fix forward to 3.1 as well at some point. So we should already be removing all read only elements from the query string when we load the form data.

Not sure when that fix got applied to 3.1, tho.

-- hugh