Locking a Form record
If I set the security settings for a limited access to records on a table, IsEmpty(table::signature) , will it also prevent modifying portal fields on that layout?
Only if you set the same limitations on the portal's table.
(And this won't prevent creating a new record in the portal if "allow creation..." is enabled...
Maybe a script trigger on layout entry to check if (table::signature) is empty go to the normal layout, but if it contains a signature - go to a layout where all fields have field entry diabled.
Possibly, but a key reason for using Manage | security is to avoid the less secure layout based record locking. If you lock the portal table with record level access control just like the layout's table, you can set a validation rule on the fields in the portal to reject any data if the table is locked, then use a script trigger to deny access to the portal to make the interface more friendly.
On our invoicing system, we use an OnObjectEnter trigger on the portal to run a script to check the privilege set. If editing an invoice is not permitted for this users, commit record is used to kick them back out of the portal. This is a two layer defense. The data level validation makes sure that even if I fail to perfectly set up my script triggers on every layout where it's possible to access this table, unauthorized record creation will be prevented. The script trigger then intercepts the attempted access before a new record can be attempted to make the interface run more smoothly.
So would i create a new privledge set, say Technician, and then set that to limited access to each table based on each form::signature block. Then set the OnObjectEnter script trigger on the data portal for each of the form layouts to check if that form::signature field and if it is signed - commit record to kick them out of the portal? I already have OnObjectEnter script triggers on the portals to capture the portal name to keep track of the data records, can there be more than 1 script per trigger event?
No, but you can merge both tasks into the same script. And this need only be done for portals where new record creation is permitted in the relationship set up.
ok I wrote a test script that sets $formlock to Get ( LayoutTableName ) & "::signature" and displays it in a dialog box to check the results, then added a perform script step in my previous script. It seems to work as it gives me TableX::signature
So could I use a If (IsValid ($formlock)) - commit record? to kick the user out of the portal?
IsValid won't tell you want you need to know here. The fact that the data in the referenced field is valid doesn't tell you if the user is permitted access to the field.
In our system, we just need to compare the privilege set name to the status field of the parent record.
If [ Get ( AccountPrivilegeSetName ) = "LowLevelAccess" And Invoices::Status = "Printed" ] Commit RecordEnd If
OK I was trying to have it set by whether the form had been signed or not(it would take administrator access to go into the data table to alter any data once signed), and was thinking I would check the signature field. There is a signature field for each form table and in this instance each form table is a parent and the data table is the child.
It doesn't seem to matter whether I try IsValid or IsEmpty on the container field, it goes to commit record anyway. Do those functions not work on containers?
IsEmpty should work. Make sure it's set up like this:
IsEmpty ( GetField ( Get ( LayoutTableName ) & "::signature" ) )
So I got:
if Get ( AccountPrivilegeSetName ) = "Admin"
If IsEmpty ( GetField ( Get ( LayoutTableName ) & "::signature" ) )
Which could be simplified to:
If [ Get ( AccountPrivilegeSetName ) = "Admin" or IsEmpty ( GetField ( Get ( LayoutTableName ) & "::signature" ) ) ]Else Commit RecordEnd If
That seems to work, but on the forms the privlege sets part doesn't seem to work.
I set up a privilege set, Tech, and set records to custom privileges. then for the form table set the Edit and Delete to limited - IsEmpty ( GetField ( signature ))
Thinking that should allow editing the fields if signature is empty and prevent it if there is a signature present. It is not preventing the editing of the fields.
You don't need getfield unless you are calculating the name of the table and field. If Signature is defined in form table where you are putting this RLA calculation in place, make it IsEmpty ( Signature ).
Retrieving data ...