From the Orbeon documentation:
Application Name. Each form definition has an application name which identifies a group of forms that belong together. In practice, an application name might correspond to a project, or a department, or a company. For example, all forms built by Orbeon have the "orbeon" application name.
NOTE: Depending on your permissions, the application name might have been picked for you already, or you might have the choice of a restricted set of application names.
Form Name. Each form definition also has a form name, which identifies a unique form name within a particular application.
As orbeon's persistence API retrieves the form definitions by their application and form name, I would like to put some validation to the form settings page that would prevent the user to save a second from definition with the same application and form name as an existing one.
(My first approach would be to put some custom response to the persistence layer, but orbeon is not able to make difference between a general persistence error and a validation errror there with other words the backpropagation of the errors of the persistence layer/api to the user is not that mature, so to say.)
So how should I do this?
If I understand correctly, you'd like Form Builder users to be prevented from creating a new form with an app/form name that is already used. The user could either be prevented from creating that form, or at least offered the option of opening the existing form instead of creating a new one with the same app/form name.
One question would be what, in that context, "already used" means: are we talking about forms editable by that user in Form Builder, or published forms? Maybe Form Builder should check both.
This check should happen in 3 places in Form Builder:
When the form is initially created (better warn users as soon as possible).
When users open the form settings dialogue to rename the form.
When saving (even if we're sure no form with the same app/name existed at the time the form was created, in the meantime another form with the same app/name might have been created).
In situation number one, if a form with the same app/name exists in Form Builder, Form Builder should provide the user the option to open that form instead of creating a new form.
So this is a feature that should be implemented at the level of Form Builder; it cannot be done solely by a custom implementation of the persistence API. This is covered by request for enhancement #818.
Related
Sorry for the basic question... I'm relatively new to Orbeon Forms..
Is it possible to inhibit the change of a form (to most users) once the has been submitted and the status has reached the "Completed" ?
Specific business key users must be able to change these forms if required (like Admin rights).
At present anyone with the right permissions can re-open a form and change the data..
Many thanks
PeteA
The basic idea is the following:
In the process that runs when users submit the form, use the set-workflow-stage(name = "…") action to change the workflow stage to something like submitted.
In Form Builder, set the entire form to be readonly if the workflow stage is submitted using a formula like fr:workflow-stage-value() = 'submitted'.
You can find more about it in this blog post.
We have been using asp.net mvc for development. Sometimes, we need to put some hidden fields on form that are shoved in the model by modelbinder (as expected). Nowadays, users can easily temper the form using firebug or other utilities. The purpose of hidden field is mostly to provide some information back to server on as is basis and they are not meant to be changed.
For example in my edit employee form I can put EmployeeID in hidden field but if user changes the employeeID in hidden field, wrong employee will be updated in the database. in this scenario how can we keep the integrity of hidden fields.
You need to enforce security to ensure that the person doing the modification has permission to do so. I'd also put the id in the URL typically rather than a hidden field, relying on the security to ensure that people don't modify things that they shouldn't be able to. If they do have permission to modify the item when changing the id manually, it shouldn't be a problem. The important thing is to make sure that a person can't change the id manually and get access to something they shouldn't. Enforcing server side permissions solves this problem. You can easily do this using Roles in conjunction with the AuthorizeAttribute.
if user changes the employeeID in
hidden field, wrong employee will be
updated in the database
This is a major security hole in your website. In everything you do with web development, no matter how clever someone's code might be or how much you think you'll be ok as long as users don't do something, remember one golden rule: Never implicitly trust data received from the client.
In order to modify anything in your website, the user must be logged in. (Right?) So in any attempt a user makes to post a form to the website (especially one which can modify data), double-check that the user submitting the form has permission perform the action being requested on the data being specified.
Ideally, every action which isn't completely public and unsecured should have a server-side permissions check. Never, ever trust what the client sends you.
One potential alternative would be to store that static, single-use information in TempData on the server and not pass it to the client where it could be tampered with. Keep in mind that by default TempData uses Session and has limitations of its own - but it could be an option.
I have a view with two forms. A main form to create a new contact and another form to add a new folder (for organization).
Is it possible to get params for both forms to be set when one of the forms is submitted? Say, if a new folder is created I'd like to return to the view with any filled out contact information still there (or the other way around if the main form has errors).
Thanks!
It's a basic constraint of HTTP that a form submission only includes the values for the submitted form (which is, of course, a feature, not a bug).
Options to actually deal with your need:
If the two forms go to the same place, you could of course simply make them one big form; they can look like two forms visually without being two forms within the page
You could use javascript to populate one form with hidden fields representing the values in the other form. These could be updated either whenever the values change, or just before the actual submission takes place
Or (and this is what you should do, in my opinion) you could make both forms submit via AJAX rather then submitting the full page. That way, the form that hasn't been submitted won't change anyway, and there won't be any need to restore the values.
I haven't even attempted this yet and am creating this question for advice really.
I have a strongly typed page which receives a form model composed of several components. It is to create a mitigating circumstance (MC) for a student at a university for my final year project. A MC can be composed of the initial problem, assessment extensions, and I use a multi select box to allow the user to select staff retrieved from the database which are able to view the MC once created.
The thing is I feel that a student could be granted many assignment extensions for one problem. I am wander if it is possible to include a button/image on the form which when clicked will create a new assessment extension object, and duplicate the form components to set the values for the object? This would all need to occur without any page refreshes.
Any advice, or links to good tutorials would be appreciated. I have so far been unable to find any suitable examples.
Thanks,
Jon
There are a number of ways to do this, but the fastest is to create a javascript handler which creates the form controls without any sort of server request, all you need to do is keep track of how many items are in your list so you can name the form controls correctly.
Start by making a button that when you click on it creates form controls. Once you get that, work on the naming.
I'm making a simple CRUD app with ASP MVC and I want to have a confirm page when creating a new object and inserting it into the database.
The problem is that I'm having trouble passing the object between actions. I tried to save it in the session after it's created and then retrieving it when the user confirms, but I'm getting an InvalidOperationException when I try to insert it into the database ( I'm using Entity Framework )
I'm not even sure if I'm approaching this the right way. Any ideas?
What I like to do if the schema allows for it, is to have an active flag (and timestamp field) on the record. You insert on the first page without setting that flag. The confirm page merely sets the active flag. Another process can clean dead records that were not confirmed within a certain range of their timestamp. And the object or entity never ties up session memory.
edit for clarity: as a result you only pass the id of the created entity to the confirm page
Tim's is the best basic answer to this but if you don't want to include the extra logic you could also consider using hidden fields on the confirm page so confirming actually resubmits the form data (this means less DB trips and means that you don't have old unconfirmed entries sitting in the DB to filter out but means more data to and from the client).
Another alternative that might be preferred from a UI point of view is to have Tim's answer but if JavaScript is enabled make the submit button instead pop up a confirm screen, clicking OK would submit both the form and the confirmation in one go.