2 Replies Latest reply on Nov 6, 2015 12:49 PM by Nihm_Brisby

    Web Direct as 'online showroom'

    Nihm_Brisby

      My questions pertains to creating a layout for customers to connect to my database via web direct to view inventory that I would like them to see (an 'online showroom').  I am primarily interested in any objections that may be raised with regards to having a client connect to a company's database.

       

      My Situation (simplified)

      I have a database with an inventory table.  Each record represents one automobile.  I view and edit these records in an Inventory layout.

       

      I have a showroom table.  These records represent collections of automobiles.  These collections can represent exhibitions, but they can also represent groupings of auto's that I want to show to a collector.

       

      Finally I have a join-Showroom-Inventory table.  This is to enable a many to many connection between showroom and inventory, as each showroom contains many cars, and each car can belong to multiple showrooms.

       

      Each table has one table occurrence.  The primary keys of inventory and showroom fill the foreign keys in join-Showroom-Inventory.  Everything works perfectly.

       

      My Goal

      Now I would like to create a privilege set that allows a specified user account to view a showroom in a special client-showroom layout if-and-only-if the user account name = Showroom::Client.  For instance, I would like for my client Fred to log in using the account 'Fred' that I have created especially for him.  In the showrooms I would like him to view, I enter "Fred" in the Showroom::Client field.  Fred is assigned a privilege set that allows him to see NO tables, NO layouts except strictly what is required to render the showroom in the client-showroom layout.

       

      I have had great experiences with web direct so far, and would like to use it in this way.  All of the security in my database is based on Filemaker's built in account security (no ersatz/scripted security).  Nevertheless, I can't help but wonder if what I am attempting to do is a BIG no-no.  After all, a customer will be directly connecting to the company's database.

       

      I hope I have described my situation clearly.  The community forums are excellent, and I look forward to any replies I am fortunate enough to receive.

       

      Thanks,

      Nihm

        • 1. Re: Web Direct as 'online showroom'
          mikebeargie

          Should be fine as long as you do the proper planning and setup the privilege set for the webdirect user account correctly.

           

          Most of what you need to do could be accomplished via a single WebDirect privilege set. Setting access to read only, and setting record access to only allow for viewing of records when a certain calculated condition is met. The rest can be handled through disabling menus and controlling navigation via script.

           

          I'd also suggest that maybe you implement the robust accounts module, which would allow your client more control over adding and setting users to that webdirect privilege:

          http://www.modularfilemaker.org/module/accounts-modular-user-account-management/

           

          Before you release it to the public, find someone that knows nothing about filemaker, and have them try to break it. "black box testing" as it's known is very handy for building secure WebDirect solutions.

           

          Also, make sure to read up on the homeurl parameter of WebDirect, so you can redirect the user out back to a non-webdirect site.

          • 2. Re: Web Direct as 'online showroom'
            Nihm_Brisby

            Thanks Mike!

             

            In fact I've already integrated Mr. Burgess's account module, and I could not be happier with it.  I'm pretty sure I first heard about it when you recommended it to someone else in a post on the forums, so thanks for that as well!

             

            All my navigation/searching is controlled via scripts,  all the toolbars are disabled, and admin access is removed via developer utilities.  Everything's working great.

            setting record access to only allow for viewing of records when a certain calculated condition is met. The rest can be handled through disabling menus and controlling navigation via script.

            This was my plan, so I am very happy to hear you recommend this approach (of course it's effectiveness will depend on the correctness of my implementation).  I'm now researching 'black box testing' and the homeurl parameter (thanks for your mainspring post + file on that).

             

            Filemaker has a great community!

             

            Thanks,

            Nihm