Databases Reference
In-Depth Information
Importan
■
removing or hiding a button, a tab, or another link doesn't secure the target it was pointing at; it only
helps reduce errors seen by users on components that are already secure.
The design for the Help Desk application has the Manage Multiple Tickets page only available to users with edit
privileges, so the entire page is secured at the edit level. The single-record view of a ticket continues to be visible to all
authenticated users, but without the buttons related to record manipulation:
41.
Edit
Page 210
of the application.
42.
Edit the
Create
button in the
Manage Tickets
region by double-clicking its name.
43.
In the
Security
region, set
Authorization Scheme
to
access control - edit
, and click
Apply Changes
.
44.
Repeat steps
42
and
43
for the
Delete
and
Save
buttons as well as the second
Create
button located in the
Ticket Details
region.
45.
Edit
Page 220
of the application.
46.
Edit the
Create
button by double-clicking its name.
47.
In the
Security
region, set
Authorization Scheme
to
access control - edit
, and click
Apply Changes
.
48.
Repeat steps
46
and
47
for the
Delete
and
Save
buttons.
49.
Edit
Page 230
of the application.
50.
Edit the page attributes by double-clicking the page name.
51.
In the
Security
region, set
Authorization Scheme
to
access control - edit
, and click
Apply Changes
.
Review the application now with different users. Notice how the user Martin can still navigate from the Tickets
report to view the details of the ticket, but there are no buttons to modify the records in the database. Even though the
form elements are editable, they aren't written back to the database without the proper form submission.
Read-Only Items
Normally, users can edit the contents of an item in APEX. There are instances where you want to prohibit them from
doing so, but you don't want to hide the item entirely. At the conclusion of the previous step, the user Martin doesn't
have the ability to save edits of the ticket information even though the form allows Martin to change the contents of
the form items.
To assist in preventing changes, each item in APEX has a read-only attribute that you can set programmatically.
The approach is similar to how item conditions are managed. Because the read-only attribute can't use an
authorization scheme directly, you can use the APEX API
APEX_UTIL.PUBLIC_CHECK_AUTHORIZATION
to determine
whether a user has the rights to edit the data. This API takes a parameter of the authorization scheme name and runs
the verification returning a Boolean result that can be used in PL/SQL logic.
Here are the steps to use the read-only attribute and the API just discussed:
1.
Navigate to and edit the items indicated in Table
9-1
by double-clicking the item name on
the respective page.