Implement Record Security in "After Initialize" Event

Your Task Management system is now almost complete, except one possibly important feature- security.
Currently everyone can modify and delete any of the tasks. You may want to limit the access so that only the employee assigned to as task can update their tasks. There are many ways of accomplishing this, and we will explain several of them.

1. Click on the "tasks_maint" page in the Project Explorer.
2. Select "Events" tab in the Properties window.
3. Add "Custom Code" to the "After Initialize" event of the page. Once in the Code view, replace the generated comment:

   /* Write your own code here. */

   with the code below:

   String currentTask = e.getPage().getHttpGetParams().getParameter("task_id");
   if (!StringUtils.isEmpty(currentTask))
   {
     String uid = Utils.getUserId(e.getPage());
     Object task_id = DBTools.dLookUp("user_id_assign_to","tasks","task_id="+DBTools.toSql(currentTask, 
                      JDBCConnection.INTEGER, "IntranetDB"), "IntranetDB");
     if (!uid.equals(String.valueOf(task_id)))
     {
       e.getPage().getRecord("tasks").setVisible(false);
       // e.getPage().setRedirect("tasks_list.jsp");
       // e.getPage().getRecord("tasks").setAllowUpdate(false);
       // e.getPage().getRecord("tasks").setAllowDelete(false);
     }
   }

The above code allows you to test the following methods of implementing record security:

Do not show the Task (record form) on the page if the selected task doesn't belong to the current user. An unauthorized user should see a blank page.

You can hide any form on a page by assigning false value to the Visible property of the form with the setVisible method.
The code "if (!StringUtils.isEmpty(currentTask))" in the "if" condition specifies that the code should be executed only if a user tries to modify an existing task and he/she is not assigned to it. The "if" also assures that all users can create new tasks. You can test this functionality by inserting the above code into the event, then switching to Live Page mode and trying to modify a task that is not assigned to you, in which case you should see an empty page. Although such functionality may not be very useful, it shows how you can hide forms on a page. You may consider adding another record form to your page that is not updateable and has just the Label fields that show information. Once you have two forms on the page, you can hide each form programmatically using opposite, mutually exclusive criteria.

Redirect unauthorized users to another page. Only users who are assigned to a task can view the page.

You can implement and test this functionality by slightly modifying the above code as shown below:

String currentTask = e.getPage().getHttpGetParams().getParameter("task_id");
if (!StringUtils.isEmpty(currentTask))
{
  String uid = Utils.getUserId(e.getPage());
  Object task_id = DBTools.dLookUp("user_id_assign_to","tasks","task_id="+DBTools.toSql(currentTask, 
                   JDBCConnection.INTEGER, "IntranetDB"), "IntranetDB");
  if (!uid.equals(String.valueOf(task_id)))
  {
    // e.getRecord().setVisible(false);
    e.getPage().setRedirect("tasks_list.jsp");
    // e.getPage().getRecord("tasks").setAllowUpdate(false);
    // e.getPage().getRecord("tasks").setAllowDelete(false);
  }
}

The above code shows that you should comment out the previously active line, and uncomment the line that contains "setRedirect".
setRedirect is a method used by CodeCharge Studio to determine if the user should be redirected to another page, for example if a user is not logged in. This variable can be used only on pages that have restricted access and require users to login. You can simply assign the destination page using the setRedirect method and the user will be automatically redirected. Test this functionality by modifying the code as shown, then switch to Live Page mode and trying to modify a task that is not assigned to you.

Disallowed Update and Delete operations for unauthorized users. Only users who are assigned to a task can edit (delete) it.

You can implement and test this functionality by slightly modifying the above code as shown below:

String currentTask = e.getPage().getHttpGetParams().getParameter("task_id");
if (!StringUtils.isEmpty(currentTask))
{
  String uid = Utils.getUserId(e.getPage());
  Object task_id = DBTools.dLookUp("user_id_assign_to","tasks","task_id="+DBTools.toSql(currentTask, 
                   JDBCConnection.INTEGER, "IntranetDB"), "IntranetDB");
  if (!uid.equals(String.valueOf(task_id)))
  {
    // e.getRecord().setVisible(false);
    // e.getPage().setRedirect("tasks_list.jsp");
    e.getPage().getRecord("tasks").setAllowUpdate(false);
    e.getPage().getRecord("tasks").setAllowDelete(false);
  }
}

This code shows how you can manipulate the setAllowUpdate and setAllowDelete properties of a record form. These properties control record update/delete operations execution. If set to false, the operation will not be executed.
These properties also control the visiblity of the Update and Delete buttons on the page.

Next: Conclusion