Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Submitted page items in authorization schemes at page level

Andrea GalizziApr 15 2024 — edited Apr 15 2024

Idea Summary
Enable the authorization shemes at page level to read the submitted item values during the submit of the page.

Use Case
I created a public demo application to better explain what I mean:

Let's imagine I have a report (page 1), and a "form" type page (page 2) that allows the user to modify one row at a time.
In each row of the report, there is an "edit" button that links to the form page passing the row ID as URL parameter (for example: P2_ID).

The user can only edit some rows (based on the status of the row).
So the "edit" button is shown only when a specific condition is matched. For example (PL/SQL expression):

CAN_EDIT(P_ID => :ID, P_USER => :APP_USER)

Now, I want to do the same check on the form page.
To do so, I create an authorization scheme (with "PL/SQL Function Returning Boolean" type):

RETURN CAN_EDIT(P_ID => :P2_ID, P_USER => :APP_USER);

This authorization scheme works great... but not anywhere!

  • Page rendering → Works (because the P2_ID item is setted by the URL parameter).
  • Process during rendering → Works
  • Region rendering → Works
  • Region refresh → Works (because the P2_ID is submitted as specified in the "Page Items to Submit" setting).
  • Page submit → Fails (this happens because the page authorization scheme is checked before loading the items value from the submit request. P2_ID is null, so the check fails).
  • Process during submit → Works
  • Process (AJAX callback) → Works

Objection 1: remove the authorization scheme on the page and just use the checksum protection
No, the session checksum isn't enough.
The P2_ID item has the "Value Protected" option enabled, and the "Session State Protection" at "Checksum Required - Session Level".

  1. The user open the page and edit the row 1.
  2. The status of the row 1 changes. The user cannot edit it anymore.
  3. Using the browser navigation history, the user can go back to the URL with session checksum that sets P2_ID=1.

Objection 2: store the P2_ID value in session
No, setting the "Storage" option at "Per Session (Persistent)" on the P2_ID item is not an option, because I want the user to use multiple tabs at the same time.

  1. User open the row 1. P2_ID session value = 1.
  2. User open the row 2 in a new tab. P2_ID session value = 2.
  3. User save the row 1. Authorization scheme check with P2_ID=2 when editing the row 1. This is not correct.

The APEX_CLONE_SESSION option cannot help because the "Rejoin Session" app setting is set at "Enabled for All Sessions".

Preferred Solution
APEX should update the page item session values (with the new submitted values) BEFORE running the page authorization schema.
Comments
Post Details
Added on Apr 15 2024
#apex-discussions, #authorization-scheme, #oracle-apex, #security
2 comments
395 views