SID-00712: Forms and sub-part authentication

Status:	Answered	TWiki version:	4.3.2	Perl version:
Category:	CategoryForms	Server OS:	RedHat	Last update:	15 years ago

I am investigating creating a form-based system for handling work requests - where an initial descriptive form is completed by general staff members, form having several elements. The resultant new request (topic) is then passed for subsequent comment and accept/reject by their manager.

Some help please on the best way, on the one hand to allow any staff user to raise/create a new request, but where only the designated manager user/group can edit their commentary/tickbox form elements. Ideally, once the manager has pronounced the staffer cannot edit text again. Audit trail maintained.

Is this a case for sub-forms? Advice much appreciated

-- StephenHallett - 2010-01-12

Discussion and Answer

Simple add access control into the template topic. You need to escape the access control so that it takes effect only once instantiated. Do that with a %NOP% embedded into the access control setting, which gets removed when instantiating a topic based on the template. Example:

   * Set ALLOW%NOP%TOPICCHANGE = Main.ManagerGroup

Details in TWikiTemplates, TWikiAccessControl, TWikiScripts.

-- PeterThoeny - 2010-01-13

Thanks Peter - that works fine.

Now how about if I wanted to include a new (sub)form template onto the page topic - conditional on an entry made in its main form (eg a radio button for 'Submit' which then includes a 'management' sub form)

-- StephenHallett - 2010-01-13

i am sure - some feature like - AccessControlInFormFields will definitely help you. Do you have bandwidth or resources to develop such feature which can be contributed to the community? I can help understand the feature/architecture of the twiki and with coding.

-- SopanShewale - 2010-01-14

Hi Sopan - that is a very neat and elegent feature suggestion. That would exactly solve my request.

-- StephenHallett - 2010-01-14

Idea: Keep the comments in a separate page B that is open. The page A that has the form is access restricted. The CommentPlugin templates can be tweaked to show the form in page A, posts to page B, and returns to page A.

-- PeterThoeny - 2010-01-15

2nd idea: Don't lock the page, but use form fields of type label. When you edit the page you can't change the form field values. Create a separate access restricted page for managers that has an HTML form. The submit pushes those fields into the page that has form fields of type label. This is not hard access control (a savvy user could edit a page and append the proper name=value to change the label field), but may be secure enough because of the TWiki audit trail. Details in TWikiForms.

-- PeterThoeny - 2010-01-15

Thanks Peter - 2nd idea sounds like best way to go. Can I just check the syntax for the manager form submit, and also how the receiving general page should use the parameters passed to permanantly edit the page doc elements. Many thanks

-- StephenHallett - 2010-01-16

Regular HTML form with input fields or picklists. Name of field matches name of TWiki form field. For example, your TWiki form has a label field called Approved. Name the field in the HTML form the same way, the form action points to %SCRIPTURL{save}%/%WEB%/TopicToUpdate. On submit, the save script receives a Approved=JohnSmith parameter, which gets pushed into the label field. Details in TWikiForms, TWikiScripts.

-- PeterThoeny - 2010-01-17

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.