Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Help creating a link that "Approves" a record or a link that autologins and filters.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Help creating a link that "Approves" a record or a link that autologins and filters.

    OK,
    First, this all runs over LAN or if somone has logged into a VPN and has his/her hosts file setup properly.

    I have a request system set up that emails various people throughout the chain that may need to approve the request. Basically, when a user creates a new record, he picks the person that should be approving the record and that person is automatically emailed when the record is saved.

    I want to send a link in that email to make it easy for the recipient to "approve" it. Approval, in this case, would be changing a logical field from 0 to 1 in an SQL table.

    Originally, I'd thought to try to create a link that would autologin the user and redirect that user to the proper page, filtered to the proper record. This is still something I'd entertain. In fact I may need this for one part of the chain and just an approval link (below) for a differnt part. I know it will be harder to do but I know it would be more secure as well. Security is a "bit" less of a concern because this is all on the LAN at the moment.

    If I just wanted to create a link that actually approves the record my guess is that I'd have to:

    1. Create an a5w page that runs the operation and must be set to always allowed for security.
    2. Make a link to that a5w page with the variables that the page needs to run included in it. (I'll probably need a bit of help with this)
    3. Make sure the page can't run without the above variables using xbasic and conditions.
    Optionally, I think it may be a good idea to grab the users computer user name and pass that in. I setup my alpha security to match our network security user names.s

    Does that sound about right?

    Any help or better ideas would be greatly appreciated!

    Thanks!

    #2
    Re: Help creating a link that "Approves" a record or a link that autologins and filte

    I would agree with your proposed approach (items 1-3). You could create a UUID for each e-mail request, and this would be included as a URL variable in the link.
    EDITED...
    Have a separate DB table for such requests containing fields like UUID, RequestDateTime, Username, IsCompleted.
    You would then query the request table for this UUID and if found, change the approval flag to 1.
    No need to log in or navigate to a page in this case, but if you wanted extra security, just prompt for the user's password before making the change (either popup or in-page field).
    Sounds like you've got it covered!

    Comment


      #3
      Re: Help creating a link that "Approves" a record or a link that autologins and filte

      Hi Andy,
      I'm not sure what is meant by; or how to create, a UUID. I'll need a little help with the link. The page itself I think I can handle.

      Comment


        #4
        Re: Help creating a link that "Approves" a record or a link that autologins and filte

        Part 1 - Saving the Record
        Code:
        //add a field to your database table (the one that has the 0/1 approve flag) and name it reqKey
        //when you save the record, save this reqKey in the table
        dim reqKey as C=remspecial(api_uuidcreate()) 
        //blabla record save code
        dim recordid as N='write code here to populate this properly
        
        dim emailResponseLink as C="http://mywebsite.com/[B]email_link_handler.a5w[/B]?rid="+recordid+"&rk="+reqKey
        dim approvalLink as C=emailResponseLink+"&action=APPROVE"
        dim denyLink as C=emailResponseLink+"&action=DENY"
        
        dim emailBody as C
        emailBody="Approve this post:<br/>"
        emailBody=emailBody+"<a href="+quote(approvalLink)+">"+approvalLink+"</a>"
        emailBody=emailBody+"Deny this post:<br/>"
        emailBody=emailBody+"<a href="+quote(denyLink)+">"+denyLink+"</a>"

        email_link_handler.a5w [SET TO ALWAYS ALLOWED]:
        Code:
        if eval_valid(Request.Variables.rid) .and. eval_valid(Request.Variables.rk) .and. eval_valid(Request.variables.action) then
             dim idToUpdate as N=convert_type(Request.Variables.rid,"N")
             dim requestKey as C=Request.Variables.rk
             dim requestAction as C=upper(Request.Variables.action)
             
             if requestAction<>"APPROVE" .and. requestAction<>"DENY" then
                  ?"INVALID ACTION"
                  end
             end if
        
             dim args as SQL::Arguments
             args.set("idToUpdate",idToUpdate)
             args.set("requestKey",requestKey)
             dim rec_count as N=sql_lookup("::name::conn","mytable","id=:idToUpdate AND reqKey=:requestKey","COUNT(*)",args)
             if rec_count==1 then
                   'record was found, run our update
                   if requestAction=="APPROVE" then
                         args.set("approval_flag",.t.)
                   else
                         args.set("approval_flag",.f.)
                   end if
        
                   sql="UPDATE mytable SET approval=:approval_flag"
                   'You need to do a conn open here, im not gonna show you this code, im sure you know how to do this
                   IF conn.execute(sql,args) then
                           ?"Record has been: "
                           if requestAction=="APPROVE" then
                                    ?"Approved"
                          else
                                    ?"Denied"
                          end if
                   else
                         ?"REcord could not be updated, please contact your system administrator"
                   end if
             else
                   'record not found, either ID was not found, or an invalid request key was provided
             end if
        else
        ?"Invalid Request"
        end if
        Scott Moniz - Computer Programmer/Analyst
        REA Inc.
        http://reainc.net
        (416)-533-3777
        [email protected]

        REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
        If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
        contact us to discuss options.

        Comment


          #5
          Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

          Jinx, the page itself needs to validate that the UUID used exists.
          First of all, hopefully youre using MySQL but anyways, the same concept applies
          UUIDS (GUIDS) stand for Universally/Globally Unique IDentifiers.
          They are basically mumbo jumbo, but they are really random and you RARELY (and i mean RARELY if ever) generate the same guid twice.

          Anyways, lets say you made a page email_link_handler.a5w?rid=5&action=DENY
          Then anyway who accesses that can change rid to 8, rid to 9 , rid to 11, and deny a whole bunch of records.
          When you save the record, you save a sort of ACCESS KEY / KEY / PASSWORD (this is where we are using the UUID).
          So each record looks like this

          Code:
          rec_id      approval_flag       access_key
            1                  0                apple
            2                  0                banana
          So now, if I want to update a record I must say:
          email_link_handler.a5w?rid=1&action=APPROVE&ak=apple <<This will update the record
          email_link_handler.a5w?rid=1&action=APPROVE&ak=banana <<This will not, note the banana access key does not correlate to record 1
          email_link_handler.a5w?rid=2&action=APPROVE&ak=banana <<This will update, notice that banana is the access key for record 2

          You are using the remspecial(api_uuidcreate()) to generate the access key for you.
          Its just a random alphanumeric string. Anyhow, the api_uuidcreate() brings back a guid with - , you can keep these or you can use remspecial() to get rid of them.
          For this purpose I recommend getting rid of htem, otherwise you should url encode and url decode your links.

          If you require assistance implementing the above, REA INC would be happy to assist you.
          We provide mentoring and component development, so if you wanted us to write you a small sample that does this, we would be able to.
          The above sample is provided as is and may/may not work.
          However, if you would like us to provide you with a full working example, we can do so.

          Feel free to call us using the number below.
          Ask for Scott

          Hope you appreciate the time I took giving you this example (im actually on my lunch break) :)
          Enjoy - and please feel free to call us if you need guidance or a push in the right direction!
          Thanks,
          Scott
          Scott Moniz - Computer Programmer/Analyst
          REA Inc.
          http://reainc.net
          (416)-533-3777
          [email protected]

          REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
          If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
          contact us to discuss options.

          Comment


            #6
            Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

            Sounds pretty straight forward. I've done stuff like that -- I have one app that batch emails a bunch of people with a A5W page link and their specific various ID's inserted into it (e..g, www.mypage.a5w?eventid=434&participantid=445.) The landing page validates the ID's and recognizes the (in this case) event and participant ID, and if those are correct, allows them access to a web component waiting behind the web page.

            One thing I've noticed, though, that you are MUCH better off making sure that you "harvest" and validate incoming request variables and turn them into session variables ASAP. That is, in the A5W page rather than, say, the onGridExecute() -event, because in my experience the request variables become randomly unreliable by the time the web component is invoked.

            In my case I don't have too many security concerns since the user domain is pretty small, but if this was a more public site I would definitely create much more obtuse parameter names and keys. I don't know if relying on the computer user name is a good idea, because you never know where people might decide to connect to your page from.

            Comment


              #7
              Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

              "One thing I've noticed, though, that you are MUCH better off making sure that you "harvest" and validate incoming request variables and turn them into session variables ASAP" - Agree with the first part 'harvesting', but you do not need session variables for this. Also, I would recommend using keys.

              If you did not use keys, then anyone who sees those links can input different numbers and effectively approve/deny records as they please.
              By using a key on the record, you are effectively creating a link that is harder to guess.

              delete_table.a5w?tablename=mytable <<I can pretty much figure out that by passing table names here it will delete a table. I can change this to delete_table.a5w?tablename=customer and BANG there goes your customer table

              delete_table.a5w?tablename=mytable&key=0293120930123921039129 <<Ok this deletes ok
              delete_table.a5w?tablename=customer&key=0293120930123921039129 <<This key will not match and the customer table will not be deleted.

              It really depends on your security concerns.
              Another option is to put security on the approve page, and then on that page, save redirect variables in session, then after login in your post login processor parse those variables and determine whether you need to approve/deny.
              Scott Moniz - Computer Programmer/Analyst
              REA Inc.
              http://reainc.net
              (416)-533-3777
              [email protected]

              REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
              If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
              contact us to discuss options.

              Comment


                #8
                Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                UUID just makes it easy to create a unique string per request.
                http://wiki.alphasoftware.com/API_UUIDCREATE+Function

                Comment


                  #9
                  Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                  Hi Jinx,

                  I do a very similar thing to what Scott has suggested, using a UUID for the link. Based on that experience, I suggest you send two UUID codes, one for approve and one for disapprove. That way, you know if the person has responded and tickle them if they haven't.

                  Pat
                  Pat Bremkamp
                  MindKicks Consulting

                  Comment


                    #10
                    Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                    Wow, that's a lot of info! It might take me a little while to read through this carefully and start testing some stuff out.

                    What I think I understand so far is:
                    1. Add a new field to the table that I want someone to approve the record on.
                    2. Change my submit code to Save UUID to that field using something like: dim reqKey as C=remspecial(api_uuidcreate())
                    3. Right now I have an email button so I'd have that ajax callback to grab the UUID out of the table and create a link in the email.
                    4. Make a page that handles the link and checks against the UUID in it to run the SQL and approve the record.

                    Sound about right?

                    Thanks everyone!

                    Comment


                      #11
                      Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                      Of course you are right about that, especially when the web site is not running in a "walled garden." My approach is ripe for abuse out in the wild, but given the people who know about this site and use this particular application, I don't worry about security too much. And you are right about the id -name as well -- one should ideally make that one non-sensical as well, so that it is harder to guess what it refers to.

                      Originally posted by aburningflame View Post
                      "One thing I've noticed, though, that you are MUCH better off making sure that you "harvest" and validate incoming request variables and turn them into session variables ASAP" - Agree with the first part 'harvesting', but you do not need session variables for this. Also, I would recommend using keys.

                      If you did not use keys, then anyone who sees those links can input different numbers and effectively approve/deny records as they please.
                      By using a key on the record, you are effectively creating a link that is harder to guess.

                      delete_table.a5w?tablename=mytable <<I can pretty much figure out that by passing table names here it will delete a table. I can change this to delete_table.a5w?tablename=customer and BANG there goes your customer table

                      delete_table.a5w?tablename=mytable&key=0293120930123921039129 <<Ok this deletes ok
                      delete_table.a5w?tablename=customer&key=0293120930123921039129 <<This key will not match and the customer table will not be deleted.

                      It really depends on your security concerns.
                      Another option is to put security on the approve page, and then on that page, save redirect variables in session, then after login in your post login processor parse those variables and determine whether you need to approve/deny.

                      Comment


                        #12
                        Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                        For records I expect to link to from the outside world, I often have an ID (simple autoinc for internal linking) and then an "eid", stands for "encrypted ID". The eid is normally 32 character using remspecial(api_uuidcreate()). I use the eid in URL's to link to the record, same as others have mentioned here using the uuid.

                        That allows me to do something like:

                        ...enrollment_form.a5w?eid=aftre1fa03cd4f038ae0891e5fedc788&app=student

                        The app parameters tells the A5W page to display the "Student" application and the eid ties back to the Customer record to pick off Customer Name, email address, etc. I could encrypt the word "student" as well if I felt that was necessary.

                        For better security you can embed the date in the eid, like:

                        d = cdate(date())
                        eid = eid + base64encode(d)


                        Now the string starting in position 33 to the end is the date of the link. You can parse that as well, and if the date is older than X, you can report that the link has expired. If you do that, you have the security knowing no one can ever use the link after it expires.

                        If I don't have an eid, I might use an algorithm on the ID to create encrypted id on the fly, using something like this:

                        id = 100
                        tt = alltrim(str(id)) + "some_seed_string"
                        pp = urlencode(base64encode(tt))
                        ?pp
                        = "MTAwc29tZV9zZWVkX3N0cmluZw%3d%3d"


                        And this to decrypt:
                        ?stritran(base64decode(urldecode(pp)),"some_seed_string")
                        = "100"


                        If you take that logic and add an encrypted parameter to indicate Yes or No, you can make it work.
                        Steve Wood
                        See my profile on IADN

                        Comment


                          #13
                          Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                          Thanks again guys!

                          I was able to get this to work a lot easier than I expected.

                          First, I was able to "cheat" and use the automatically created email action to make the link. I just used this in the action editor:
                          Code:
                          <a href="http://mywebsite.com/email_link_handler.a5w?rid={unique_id}&rk={ReqKey}&action=APPROVE">Click To Approve This Request</a>
                          The only problem is that this was failing:
                          Code:
                          eval_valid(Request.Variables....)
                          So I just changed it to:
                          Code:
                          variable_exists("Request.Variables....")
                          Which seems to work fine for my purposes.

                          Comment


                            #14
                            Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                            Now, since that was relatively painless...and because I KNOW a user is going to ask for this soon....

                            How would I go about creating a link that will automatically login the user (which redirects to my tabbed UI), open the proper tab in the tabbed ui, and then filter the grid to that record? I think I know how to make the grid filter once I get there but the rest of the process is a bit of a mystery at the moment.

                            Thanks again!

                            Comment


                              #15
                              Re: Help creating a link that &quot;Approves&quot; a record or a link that autologins and filte

                              You are correct about eval_valid(Request.Variables...etc
                              It should be eval_valid("VARIABLENAMEASCHARACTERSTRING") , what alpha does underneath is try to eval it, retrurns true if it evals (e.g the variable DOES indeed exist) and false otherwise.

                              My mistake
                              SO yes, use
                              if eval_valid("Request.Variables.varname")

                              "How would I go about creating a link that will automatically login the user (which redirects to my tabbed UI), open the proper tab in the tabbed ui, and then filter the grid to that record? I think I know how to make the grid filter once I get there but the rest of the process is a bit of a mystery at the moment." - THINK LONG AND HARD....Do you really want a link to automatically login the user (this would mean passing the password in the link)? This is a HUGE, I stress, HUGE security hole.

                              Are you sure you dont want to link to the LOGIN page, make the user enter their password, and THEN automatically open the tab in the proper page etc?
                              Scott Moniz - Computer Programmer/Analyst
                              REA Inc.
                              http://reainc.net
                              (416)-533-3777
                              [email protected]

                              REA INC offers consulting services, programming services, systems design, database design, third party payment gateway integration (CHASE, PAYPAL, AUTHORIZE.NET) and developer support.
                              If you need custom code, or 1-to-1 mentoring in any facet of your database/web application design,
                              contact us to discuss options.

                              Comment

                              Working...
                              X