Defining a set filter

General

timconsidine     5 months ago

First of all ... what a great app !

I'm looking to set up a view which has a filter to show only rows linked to a user

E.g. users and tickets table, user has a relationship to tickets

I want to show only the logged in user's tickets, and not any other users' tickets.

I can set a filter and embed a ticket table view

But I don't want the user to be able to change the filter, e.g. no dropdown or toggle

Is this posisble ?

 



JonathanDHolden      5 months ago

Wouldn't that be automatic when the user is logged in... if you've set the view to user level permissions they'll only be able to see their own tickets. 

 


tomn      5 months ago

timconsidine: this was added in 0.4.4. Ifm, in a Filter view you add a toggle filter and select the field which is the key to User, You should get the option in the builder of setting the value to a Preset, Logged in, which will select the ID of the logged in user


timconsidine      5 months ago

Thank you @tomn

It works as you suggest but user can just press the toggle switch and then they see all tickets.

@JonathanDHolden : setting user level permissions is only about setting access to a view, as I understand.  If the view has other users' tickets, they still see them, unless a filter is used.  please do correct me if I am wrong.


timconsidine      5 months ago

The toggle can be set up in the view but does not seem to be automatically activated when the view is loaded.

It would be great if :

  • the toggle is active on page load
  • the toggle can be hidden so it cannnot be turned off by user action

Not a problem to use the toggle as a workaround like this.

Would be more secure if the filter view could have a restraint in the config with a value such as {{ CurrentUser }} ... or whatever structure/syntax is used in Saltcorn

 


JonathanDHolden      5 months ago

"Would be more secure if the filter view could have a restraint in the config with a value such as {{ CurrentUser }} ... or whatever structure/syntax is used in Saltcorn" Yes, that seems like an excellent suggestion....  


timconsidine      5 months ago

I tried putting the toggle inside a container on the screen, and then setting the custom css to hide it

Doesn't seem to work, but maybe it's my CSS :

.hidethis {
  display: none;
}


timconsidine      5 months ago

Ooops, seems it is as simple as putting in the Custom CSS

    display: none;

That's great.  Toggle nicely hidden  ... except the toggle is not activated on page load.
I will play to see if it can be set on page load through some property injection.

If any of that suggests I know what I'm talking about, well.   I don't !!


timconsidine      5 months ago

And actually probably better to set the container properties to be "SHOW IF : ADMIN OR STAFF", instead of using custom CSS


timconsidine      5 months ago

Interesting discovery that the Code component supports adding not just HTML, but also javascript.

I can use this to simulate a button click for the toggle so that it gets set to on when page load loads.

Problem I am having is that the code I am using runs constantly causing constant page actions.

<script>
document.onreadystatechange = () => {
  if (document.readyState === 'complete') {
    set_state_field('holder', encodeURIComponent('1'))
  }
};
</script>

If I can sort this, then it's an acceptable workaround


timconsidine      5 months ago

Although I discovered also from browser address bar that implementation is to add parameter e.g. "?holder=1"

This obviously works, but it is insecure as the parameter can be manually set.  This might be fine for e.g. product codes.  But for anything which reveals personal data such as orders, it's not good.

If the user table ID was random and complex, it might be ok, but as ID is sequential auto-incremented, it's trivial to "hack" the query and discover personal data.

Just mentioning it in case a future release can address this. 



Sign up to post a reply