You are viewing limited content. For full access, please sign in.

Question

Question

Prevent user from entering alternate value when using lookups.

Forms
Updated December 8, 2023
asked on December 7, 2023

I have a form that looks up various items. The look up feeds in employee names according to supervisor. They also populate a confidential field that is a couple of fields below the employee name. I noticed that if the supervisor decides to type in an alternate name in the employee field, they were able to see the corresponding information. I tried to go around this by hiding my fields if a certain criteria were met (basically, I verified the supervisor was the actual supervisor using a calculation). This works, but it is possible to get a glance of the confidential information (although very quick) before the calculation completes and hides the info. Is there a way to fix this? Or, perhaps, another way to approach the issue?

 

0 0

Replies

replied on December 7, 2023 Show version history

Is this populating a table or do they pick one employee at a time?

If they're choosing the employee, then I'd say use a dropdown so they can't enter anything else, or if it is populating a table then make the employee field read-only.

Situations like this are part of the reason I don't return confidential information through lookups; even if you add restrictions anyone with passing familiarity of how to use the browser console could still bypass them to get the data.

Another thing to do would be changing your lookup to require an account parameter so it only ever returns allowed results even if they type something else into the field.

If you use the "Current User" option as the parameter for a condition that would make it exceptionally more difficult for anyone to bypass because they can't just edit a field on the form.

We have a LF Forms process for employee change requests (office moves, promotions, etc.) and for that form the lookup takes in the current user as a parameter for a stored procedure; it doesn't matter what name they type they'll still only get results for their employees.

1 0
replied on December 8, 2023

We do the same thing.  A stored procedure pulls a list of employees to choose from that are specific to that supervisor.  Just like Jason, we capture the Current User to pull the list from a stored procedure, that way they only see their employees.  It works really well.  Based on your setup, you could reverse the show/hide to Show if the calculation meets a the positive results, then the calc has to finish before the field completes, but the sp is probably easier.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...