Skip to main content

APEX ReadOnly Pages - The easy way

If your Oracle APEX Application requires different types of access - full access or readonly - for different types of users, you can specify a Read Only Condition on Page level (or Region, Item, Button, etc.). 
You can set an Authorization Scheme on Application level, so it'll be applied to all pages. So if you have an Authorization Scheme named 'User Can Access Page' defined by a PL/SQL function like this:

return apex_authorization.user_can_access_page
( p_app_id  => :APP_ID
, p_page_id => :APP_PAGE_ID
, p_user    => :APP_USER
); 

then you can code all the logic in the database using the APEX Repository, your own tables or a combination to define whether a user has access to that page or not.
But alas it is not possible to define something similar Application wide for a Read Only condition. You can specify an Authorization Scheme 'User has Read Only Access' using a similar signature as the one above and use that on each and every page in the Read Only Condition using the APEX API:

apex_util.check_authorization( p_security_scheme => 'User has Read Only Access');

that way you still hide the PL/SQL logic. But you have to apply that to every Page ... and that's not very developer friendly. Another downside is that the Page is actually really rendered as readonly: It looks very different to the same page in regular updatable mode. So your layout may be screwed. The advantage is, it is (almost) impossible to hack a page rendered like that to make an illegal update to your database.

So can we achieve a similar / better result with less effort?
Yes, we can. Let's define a Dynamic Action (DA) on Page 0 that'll only run when our previously defined "ReadOnly" Authorization Scheme is met. That DA will run a snippet of JavaScript "On Page Load" :

// Remove Delete, Save, Create buttons and the Popup LOV and Calendar icon
$('a').has('.fa-trash-o, .fa-floppy-o, .fa-plus, img.uPopupLOVIcon').remove();
$('img.ui-datepicker-trigger').remove();
// Switch off input fields within div.uRegionContent 
$('input, select, textarea', 'div.uRegionContent').prop('readonly', true).prop('disabled',true);

So this is removing a number of "update" buttons and set all items to readonly and disabled. Be aware the selectors - especially for the buttons - may be different on your own environment depending on template settings etc.
But although the initial result looks good, as the layout isn't changed and all the items are not updatable, it isn't very secure. The buttons are removed - which is already a tad safer than just disabling them - but I can re-enable all the Page Items with just one line of JavaScript. And also a page submit doesn't require a lot of JavaScript knowledge. So if I can open up my browser console, it is easy to conquer this carefully crafted Read Only Page...
And of course we can add a Condition or Authorization Scheme to every page process to make sure they only run for users with full access, but that would require a lot work again!
So we have to close down the backend as well. And preferably not by adding triggers on every table.... But we can interfere with the PL/SQL that's executed when the page is submitted: There is a section called "Initialization PL/SQL Code" under Security Settings. Although that sounds like it runs only when you "initialise" a page .... it also runs when you initialise a submit!
So if we enter something like this piece of PL/SQL in that section:

if apex_authorization.user_has_read_only_access
   ( p_app_id  => :APP_ID
   , p_page_id => :APP_PAGE_ID
   , p_user    => :APP_USER
   ) and :REQUEST in ('SAVE', 'DELETE', <and a lot more>)
then
  raise_application_error( -20000, 'You are trying to make some changes with Read Only privileges' );
end if; 

a user with Read Only access who tries to fire an illegal SAVE or DELETE request, will be blocked (although that message isn't shown). If you look in the (standard) DML Processes you can see there are quite a lot of requests that should be in that list. Be aware that other - especially unconditional request - are not protected by this!

But with just one snippet of JavaScript and one piece of PL/SQL we implemented a Read Only feature on each and every page of our application - and the pages still look exactly the same!

Post a Comment

Popular posts from this blog

Showing a success message after closing a modal dialog

APEX 5 comes with Modal Dialogs out of the box. Very neat. Especially for adding and changing data. And to minimise the number of time a user has to click, it could be useful to add a "Close Dialog" process after the actual data processing. When the data processing fails, the Dialog stays on top showing the error. When data processing runs fine, the Dialog is closed ... without any confirmation. And this might be scary for a shaky user.

So how can we provide the user some feedback? On Page 4 of the Sample Dialog Application you can see one solution: up on a Dialog Closed Event on the parent page it does a redirect to refresh the parent page appending the success message of the "Close Dialog" process. This has two drawbacks. First, it probably refreshes more than necessary. And second, if you're using multiple layers of dialogs (dialogs that open other dialogs) the message appears in the "parent dialog".
As an alternative you could follow these steps: 1…

It's happening again ... running for the ODTUG Board of Directors 😉

For the third time in a row I'll be running for ODTUG's Board of Directors. But after ending as a runner up twice, I am sure I'm going to make it this time! But not without your help!

My campaign statement this year is:
I have been attending and presenting at Kscope conferences since 2007. This not only resulted in a vast amount of knowledge, but also - and even more important - a huge number of friends from all over the globe.  I want to see ODTUG grow and spread this community feeling even more! 
My experience as an attendee, presenter and content lead has provided the basic foundation to be a director. Next to that, my personality and (global) network will be beneficial to the whole board and organization. 
Since March I have served on the Board of Directors in a limited term for a Director who stepped down due to a career change. This has allowed me to have unique insight of all the things that are going on in and around the ODTUG organization. As the train was already ro…

APEX 5 New Static File Features

In APEX 4 you could upload files - like CSS files, JavaScript files, Images and whatever else you like - into the APEX Repository. When you navigate to Shared Components, there is a Files section that offers three different options:
CSS Files are always uploaded (and changed !) for the whole Workspace. For Images and Static Files (usually JavaScript) you could choose whether they should be available for the whole Workspace or for a specific Application only. And if you had a lot of files - e.g. a lot of images - then you had to go through the upload process one-by-one. But that's usually a one time only thing. If you make changes to the CSS and JavaScript files - and that's a continuous process in development - then you had to delete the existing file and upload the new one. Over and over again. And meanwhile fighting the cache of the webserver and your browser.  And another irritating issue: You couldn't use relative references in your CSS or JavaScript files as they just…