You are viewing limited content. For full access, please sign in.

Question

Question

embedding form restrict access based on source

Forms
Updated May 11, 2021
asked on May 8, 2021

We are looking to provide access to forms from within an website that has a separate login.  i'm displaying information with look up rules in that form.  i want to make sure that this form is ONLY able to load from within an iframe with a specific source to ensure that people can not find the URL for the form with its parameters in the URL and there by get access to information without being logged in.

 

is there a way to prevent a publicly accessible laserfiche form from being opened unless it is called from a specific source url?

is there some other way i should consider getting to the same end result?

0 0

Replies

replied on May 11, 2021

To reiterate what Jason said at the bottom of his post, trying to build your own authentication for use on top of public Laserfiche forms is not a recommended practice and will likely not be truly secure. It might be a bit harder to get at the data for an everyday user, but it won't be secured from a bad actor. Please assume any lookup table data you have on this form could be accessible publicly. 

1 0
View 1 previous reply
replied on May 11, 2021

Is there a recommended practice to meet the desired result?

0 0
replied on May 11, 2021

If you want a form to be secure, you need to make it a private form and define which users have submission rights to it. This requires those users to be defined participants in Laserfiche. The participant license is a lower cost Laserfiche license designed purely for accessing and submitting forms. It seems like these users should be licensed participants. 

1 0
replied on May 11, 2021 Show version history

Yep.  Except that isn't my use case.  The people completing the form are just members of the public.  So no other way to handle native to LF Forms?

0 0
replied on May 11, 2021

In Forms, public users (unauthenticated) are all treated the same. If one public user can see lookup data, all public users can see lookup data. In your process, if your "public" users are authenticated to another system, you can consider building a workflow to create and assign a participant license to that public user so they can actually authenticate to Laserfiche as well. If they are not authenticated to Laserfiche, the data will not be secured to them. 

1 0
replied on May 10, 2021 Show version history

This method is a bit of a hack - and because it uses JavaScript it can't be used with modern forms.

Add the following JavaScript to your form:

$( document ).ready(function() {
  
  var pageURL = window.location.search.substring(1);
  var URLVariables = pageURL.split('&');
  for (var i = 0; i < URLVariables.length; i++) 
  {
    var parameterName = URLVariables[i].split('=');
    if (parameterName[0] == "valid") 
    {
    }
    else{
      $(location).attr('href', 'about:blank');
    }
  }
});

This code basically checks to see if there is a parameter called "valid" in the URL. If it's not present then the page will redirect to a blank page (you can change "about:blank" to https://www.google.com or to another URL of your choice).

For example, on my machine this form can only be loaded if I go to: localhost/Forms/4W47V?valid

In your iframe you would add ?valid to the end of your form URL and it will load - for example: <iframe src="http://localhost/Forms/4W47V?valid" title="Iframe title"></iframe>. If ?valid is not included then the iframe will automatically redirect to a blank page.

You can also change "valid" to whatever you want in the code and URL.

0 0
replied on May 10, 2021 Show version history

interesting.  i'll give it a shot!  thank you!

0 0
replied on May 10, 2021 Show version history

Hi Paige,

Since you're trying to make it only work in an iframe, you could also try checking the value of window.top.location.href which will differ from the forms URL when it is contained within a frame.

$(document).ready(function(){
  if (window.top.location.href != 'ParentURL'){
    window.self.location.href = "about:blank"; 
  }
});

That way the page will always redirect if the "top level" URL doesn't match the value you set. If you want a partial match, you could use something like this instead:

!window.top.location.href.toLowerCase().startsWith('https://myurl')

 

However, it is worth emphasizing that this approach it not truly "secure" so depending on the sensitivity of the info on the form you may or may not want to rely on this to protect the content.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...