Skip to main content

APEX ReadOnly Pages - The easy way

By
If your Oracle APEX Application requires different types of access - full access or readonly - for different types of users, you can specify a Read Only Condition on Page level (or Region, Item, Button, etc.). 
You can set an Authorization Scheme on Application level, so it'll be applied to all pages. So if you have an Authorization Scheme named 'User Can Access Page' defined by a PL/SQL function like this:

return apex_authorization.user_can_access_page
( p_app_id  => :APP_ID
, p_page_id => :APP_PAGE_ID
, p_user    => :APP_USER
); 

then you can code all the logic in the database using the APEX Repository, your own tables or a combination to define whether a user has access to that page or not.
But alas it is not possible to define something similar Application wide for a Read Only condition. You can specify an Authorization Scheme 'User has Read Only Access' using a similar signature as the one above and use that on each and every page in the Read Only Condition using the APEX API:

apex_util.check_authorization( p_security_scheme => 'User has Read Only Access');

that way you still hide the PL/SQL logic. But you have to apply that to every Page ... and that's not very developer friendly. Another downside is that the Page is actually really rendered as readonly: It looks very different to the same page in regular updatable mode. So your layout may be screwed. The advantage is, it is (almost) impossible to hack a page rendered like that to make an illegal update to your database.

So can we achieve a similar / better result with less effort?
Yes, we can. Let's define a Dynamic Action (DA) on Page 0 that'll only run when our previously defined "ReadOnly" Authorization Scheme is met. That DA will run a snippet of JavaScript "On Page Load" :

// Remove Delete, Save, Create buttons and the Popup LOV and Calendar icon
$('a').has('.fa-trash-o, .fa-floppy-o, .fa-plus, img.uPopupLOVIcon').remove();
$('img.ui-datepicker-trigger').remove();
// Switch off input fields within div.uRegionContent 
$('input, select, textarea', 'div.uRegionContent').prop('readonly', true).prop('disabled',true);

So this is removing a number of "update" buttons and set all items to readonly and disabled. Be aware the selectors - especially for the buttons - may be different on your own environment depending on template settings etc.
But although the initial result looks good, as the layout isn't changed and all the items are not updatable, it isn't very secure. The buttons are removed - which is already a tad safer than just disabling them - but I can re-enable all the Page Items with just one line of JavaScript. And also a page submit doesn't require a lot of JavaScript knowledge. So if I can open up my browser console, it is easy to conquer this carefully crafted Read Only Page...
And of course we can add a Condition or Authorization Scheme to every page process to make sure they only run for users with full access, but that would require a lot work again!
So we have to close down the backend as well. And preferably not by adding triggers on every table.... But we can interfere with the PL/SQL that's executed when the page is submitted: There is a section called "Initialization PL/SQL Code" under Security Settings. Although that sounds like it runs only when you "initialise" a page .... it also runs when you initialise a submit!
So if we enter something like this piece of PL/SQL in that section:

if apex_authorization.user_has_read_only_access
   ( p_app_id  => :APP_ID
   , p_page_id => :APP_PAGE_ID
   , p_user    => :APP_USER
   ) and :REQUEST in ('SAVE', 'DELETE', <and a lot more>)
then
  raise_application_error( -20000, 'You are trying to make some changes with Read Only privileges' );
end if; 

a user with Read Only access who tries to fire an illegal SAVE or DELETE request, will be blocked (although that message isn't shown). If you look in the (standard) DML Processes you can see there are quite a lot of requests that should be in that list. Be aware that other - especially unconditional request - are not protected by this!

But with just one snippet of JavaScript and one piece of PL/SQL we implemented a Read Only feature on each and every page of our application - and the pages still look exactly the same!

Comments

Post a Comment

Popular posts from this blog

Filtering in the APEX Interactive Grid

By
Remember Oracle Forms? One of the nice features of Forms was the use of GLOBAL items. More or less comparable to Application Items in APEX. These GLOBALS where often used to pre-query data. For example you queried Employee 200 in Form A, then opened Form B and on opening that Form the Employee field is filled with that (GLOBAL) value of 200 and the query was executed. So without additional keys strokes or entering data, when switching to another Form a user would immediately see the data in the same context. And they loved that. In APEX you can create a similar experience using Application Items (or an Item on the Global Page) for Classic Reports (by setting a Default Value to a Search Item) and Interactive Reports (using the  APEX_IR.ADD_FILTER  procedure). But what about the Interactive Grid? There is no APEX_IG package ... so the first thing we have to figure out is how can we set a filter programmatically? Start with creating an Interactive Grid based upon the good o...
1 comment
Read more

apex_application.g_f0x array processing in Oracle 12

By
If you created your own "updatable reports" or your custom version of tabular forms in Oracle Application Express, you'll end up with a query that looks similar to this one: then you disable the " Escape special characters " property and the result is an updatable multirecord form. That was easy, right? But now we need to process the changes in the Ename column when the form is submitted, but only if the checkbox is checked. All the columns are submitted as separated arrays, named apex_application.g_f0x - where the "x" is the value of the "p_idx" parameter you specified in the apex_item calls. So we have apex_application.g_f01, g_f02 and g_f03. But then you discover APEX has the oddity that the "checkbox" array only contains values for the checked rows. Thus if you just check "Jones", the length of g_f02 is 1 and it contains only the empno of Jones - while the other two arrays will contain all (14) rows. So for ...
Post a Comment
Read more

Refresh selected row(s) in an Interactive Grid

By
In my previous post I blogged about pushing changed rows from the dabatase into an Interactive Grid . The use case I'll cover right here is probably more common - and therefore more useful! Until we had the IG, we showed the data in a report (Interactive or Classic). Changes to the data where made by popping up a form page, making changes, saving and refreshing the report upon closing the dialog. Or by clicking an icon / button / link in your report that makes some changes to the data (like changing a status) and ... refresh the report.  That all works fine, but the downsides are: The whole dataset is returned from the server to the client - again and again. And if your pagination size is large, that does lead to more and more network traffic, more interpretation by the browser and more waiting time for the end user. The "current record" might be out of focus after the refresh, especially by larger pagination sizes, as the first rows will be shown. Or (even wors...
Post a Comment
Read more