I can't recall if you said your users have to register first or not? If so, you can restrict access by having a 'user' element on the form, and a pre-filter on the List:
WHERE
Field:user(raw)
Condition: EQUALS
Value:{$my->id}
Type: text
... which will restrict all access of the list data to the logged on user who's ID matches that of the user element. This applies to direct form/details view access as well, not just filtering of lists. So if user A tries to directly load a form belonging to user B, Fabrik will barf.
To prevent people from just removing filters and seeing the whole list, you can set "Require filtering" on the list settings, so any attempt to view the list without a filter gets a "Please apply a filter".
However, I don't really see any reason people should ever see (or have access to) the list itself. Better to do it with a little custom code. Probably a search form like you are doing, but with a submit script that checks to see if the id/email matches, and if it does, generate a token, store it in the session data, and redirect to the actual rescue form itself (rather than a list) with that token on the query string, with an onLoad script that checks the query string token against the session token.
It'd be easier for me to just write that for you directly, rather than do it here. But the gist of it would be ....
A PHP plugin on the search form, running 'onBeforeProcess', which does something like ...
Code:
// get the search ID and email
$searchId = $formModel->formData['___search_id'];
$email = $formModel->formData['___email'];
// look them up in the rescue_request table
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select('id')
->from('rescue_request')
->where('search_id = ' . $db->quote($searchId))
->where('email = ' . $db->quote($email));
$db->setQuery($query);
$rowid = $db->loadResult();
// either redirect to rescue_request form, or back to search
$app = JFactory::getApplication();
if (!(empty($rowid)) {
// we found it, so create a token (hash the search id, email and rowid
$token = md5($searchId . $email . $rowid);
// store the token in the server session
$session = JFactory::getSession();
$session->set('rescue.token', $token);
// redirect to rescue form, appending token as query string arg
$app->redirect('index.php?option=com_fabrik&view=form&id=123&rowid=' . $rowid . '&rescuetoken=' . $token;
}
else {
// redirect back to search form with msg
$app->enqueueMessage('Sorry, we didn't find anything, try again');
$app->redirect('index.php?option=com_fabrik&view=form&formid=321');
}
... then on the rescue_request form, a PHP script 'onLoad' ...
Code:
// only check token if it's not a new form.
// can add a check here for membership of admin group as well, so admins can edit
if (!$formModel->isNewRecord()) {
// recreate the token from the data being loaded
$formToken = md5($formModel->['rescuew_request___search_id'] . $formModel->data['rescue_request___email'] . $formModel->data['rowid']);
// get (and clear) the session token
$session = JFactory::getSession();
$sessionToken = $session->get('rescue.token');
$session->clear('rescue.token');
// get the url token
$app = JFactory::getApplication();
$urlToken = $app->input->get('rescuetoken', '');
if (!($formToken === $sessionToken && $sessionToken === $urlToken)) {
// whoa! they aren't the same, so bail back to the search form
$app->enqueueMessage('Sorry, eomthing went wrong, try again');
$app->redirect('index.php?option=com_fabrik&view=form&formid=321');
}
}
So the flow is ...
Hit search form, submit
During search form submission, if a matching row is found, create a token, save it in session, redirect to load the form with token on the query string.
During loading the main form, makes sure the session and query string token match, plus generate the same token from the actual form data just for added heck of it.
-- hugh
