Adding Authenticated User to Forms Lookup Info

asked on May 4, 2022

Hi All,

I was wondering if anyone could help, I have a scenario on Forms which I can't find a solution to.

I need to filter lookup results based on the user who is logged in and it is critical from a security standpoint that users don't have any means of seeing data intended other users. As a basic example, I would have a number of rows in SQL and a column identifying what users can see those rows.

At face value, I can achieve this by adding a hidden field populated with {/_currentuser} or {/_currentuser_display} and have that as part of the lookup rule, however as far as I can tell, this won't work from a security standpoint because a user can inspect page and modify the value of that field using the browsers dev tools.

Is there a way to pass verifiable session information rather than just the username? My problem with using the username is that it is static, highly guessable and isn't linked to the fact they have actually authenticated as that user.

In terms of the backend, is the session information stored in the forms database? Can I use javascript to add values from the authentication header into the lookup field which could be checked against the forms DB?

(for reference, this question is related to on-prem forms rather than Cloud)

Thanks for your help,

Alistair

1 0

replied on May 4, 2022

I haven't personally done this, and I'm just kind of spitballing here.

But if it would be acceptable to just obfuscate the information somewhat rater than fully hiding it, you could try something like this.

You can trigger a Data Lookup from the current user value without populating that value into a field. On the Lookup Rules, instead of selecting a field for the "When" criteria, you can select "_(Current User)" which will allow you to lookup values based on the current user's username, but not in a way that someone could use inspect element to modify a field that contains that username to trigger a different search (or at least I don't think they can modify that).

That might be enough obfuscation for your purposes, triggering the lookup by the logged in user without needing to have that username stored in an editable field.

However, if you want additional obfuscation, you can use that lookup to lookup values from the cf_users table on your LFForms database. You could return either user_id, which is an integer identifier for each user, or you could return the sid which is a long alphnumeric identifier for each user. There is also an auth_code value in that table on version 11, but I'm less confident with how that value is used - so you'd need to do testing if you wanted to use that.

Returning one (or more) of those values to the hidden fields on your form, you could then use them to trigger secondary lookups (you could set-up Views on your own database that include joins back to the LFForms.cf_users table to facilitate those lookups), you've now got lookups that are using the current user, but with some obfuscation regarding what value is being used for the lookup.

1 0

replied on May 5, 2022

Hi Matthew, thanks for your reply! You know what... I think I might have been completely over thinking this and missed something very basic. I didn't think you could put the user token directly into the lookup rule without having to reference it in a hidden form field...

I think that might just completely solve my problem :D

Just as a sanity check, I don't suppose someone from Laserfiche could 100% confirm for us that this approach is ok for sharing highly sensitive data?

Ie. When _(Current User) is used in the when clause of a lookup rule, it's not possible for a submitter to change that value from the client browser using something like the browsers dev tools?

0 0

replied on May 5, 2022

You might be able to verify by getting into the dev tools and searching for your own user name.

0 0

Question

Question

Adding Authenticated User to Forms Lookup Info

Replies

Sign in to reply to this post.