I have a simple project workflow logic in the backend.
for a certain project status submitted for instance, to allow the admin to preview the project but not to edit/update it.
So I can hide the edit button easily on the form, but one tricky guy could simply update the url and change /preview/ with /update/ and then he will have access to the form data.
How can I prevent that ?
thanks in advance for your ideas
Hi Chris
the formRender method takes an array of options, including a bool for ‘preview’. You could do something like this in the preview.php and update.php files of the controllers:
<?= $this->formRender(['preview' => !$this->controller->userHasAccessToModel()]) ?>
Or maybe even better override the formRender method in your controller and force the preview mode if the user does not have access
public function formRender($options = [])
{
if (!$this->userHasAccessToModel()) {
$options['preview'] = true;
}
return $this->asExtension('FormController')->formRender($options);
}
Hi @chris ,
One way is to override the update() method in your controller and deny access if the project has already been submitted:
public function update($recordId = null)
{
$project = $this->formFindModelObject($recordId);
if ($project->status == 'submitted') {
return \Response::make(\View::make('backend::access_denied'), 403);
}
return $this->asExtension('FormController')->update($recordId);
}
You can apply the same logic to other actions if needed, e.g.:
public function create()
{
return $this->asExtension('FormController')->create();
}
public function preview($recordId = null)
{
return $this->asExtension('FormController')->preview($recordId);
}
thanks both for your ideas,
I implemented the overriding of update() and preview() method with success.