Security based on ownership and record state

Consider an action called "Update Profile" on "User" module where logged in users are only allowed to update their records. In this situation we cannot use group based permission where access is based on the permissions granted to them. Here the security is based on the content. In this situation we can use filters in action.

Filters can be used for securing records based on ownership or based on state. 

Securing records based on ownership

When we need to protect data based on ownership then we need to store the username with the data. For storing username with the data we need to add field with type Username in the module.

The next step is to store the username value to the username field in the module when creating an entry in the module. This can be done using the action set value options in PCG design for all the create actions.

The third step is to use the filters before performing other actions to check if the username field is matching with current username.

Securing records based on state

Some actions are allowed based on the current state of an entry. As an example without receiving the payment we cannot ship the order. This also can be achieved using filters. Even though any field types can be used for this purpose it is better to implement using the Dropdown type field.

  • As a first step add a field name Status with type Dropdown / Select the define the possible values as "Waiting for Payment","Waiting for Shipping","Shipped","Received"
  • Add a create action called Order Product  to the module and use Set field value option and for the Status field set value as "Waiting for Payment".
  • Add an Update action called "Process payment", in that user the set value for the status field and set the status as "Waiting for Shipping"
  • Add one more Update action called "Ship the order" there set the Status field to Shipped using the set field value option. Add a filter to the action for the Status field with Equals condition and choose value Waiting for Shipping.

Now after generating the code, user cannot perform the "Ship the Order" action until the "Process payment" action is performed.


Back to academy home