encrypt URL in hyperlink ...

Hello,
 
I made a report with security in it so users can only see there own id's. 
 
I made a seconde report that shows the details of certain id and created a hyperlink from the first to the second report on the id-field (using a parameter to fill the correct id in the second report). 
 
This is all working nicely. I noted that the id is encrypted in the addressbar when you follow the hyperlink to the second report. 
 
It was however pointed out to me that when you open the first report and on the hyperlink open the submenu to copy the link-address the values are presented in plain text. Opening a different TAB in the browser and pasting the link-address runs the report with a none autorized id!!
 
Probably my bad to not check for autorisation in the second report but my question is : is there a way to encrypt that URL like it does when I follow the link to the second report? Or do I have to add the security to the second report. 
 
Kind regards,
Jeroen

Find more posts tagged with

Comments

JFreeman

Although it may be possible to modify the URL to prevent this behavior, I believe best practice is going to be to add the same security settings to the second report as well.

jar

Hello Jesse,
 
Thanks for your feedback... 
 
My problem is that I am using a Data Object in the dashboardpage to fill a prompt with only those ID's the user is authorized to see and the report is linked to this prompt. The user can make choice for one of his authorized ID's.
 
I can add the Data Object to the second report but because the second report is not linked from the dashboard but from the first report (and it is not using/linked to the prompt on the dashboard) it is not filtering the authorized ID's. 
 
With SQL I would use "subquery" to filter out only the authorized ID's, but with a query on a Data Object I think that is not possible. At least I do not see how. 
 
The only solution I see is to have a seperate dashboard with the same prompt's which the user can run to see the details ... Or anybody another solution ...?

JFreeman

I am not quite sure i'm understanding the flow of your dashboard/report setup.
 
Would it be possible to attach a set of reports/dashboard that demonstrate the behavior using classic models?

JFreeman

Thinking this over some more, one option would be to use data security on the data object to apply an ACL to limit what data a user is allowed to obtain from the data object.
 
Take a look at the Application Developer Guide here: <a data-ipb='nomediaparse' href='http://developer.actuate.com/be/documentation/ManualsIHUB3/application-developer-guide.pdf'>http://developer.actuate.com/be/documentation/ManualsIHUB3/application-developer-guide.pdf</a>
 
The section, "Controlling user access to data", starting on page 241 of the PDF version, details this functionality and how it can be implemented.

jar

Hello,
 
Thanks for your response. 
We have already something in place to limit the data in the dataobject to what the user is allowed to see. And the prompt's on the dashboard are based on that dataobject. So for the first report all is okÃ©.
 
But for the second report I can not use this dataobject because in this report I read a select statement from a certain table and for that read I need a few parameters to have value to select one of many. 
Through a script in the second report I replace in a second query some text like **REPLACE** with this select statement. Then the report is run (second query presents the data). 
 
This was working nicely with the hyperlink option (when the hyperlink is clicked and the report is opened all parameters have the correct value). But because of the security flaw (MHO) in the hyperlink function I can not use this and need to do this in a dashboad.
 
But this is also not working because not all parameters are filled. This is because the report is run when the dashboard is opened and not only when all parameters are filled. Is there somewhere an option to configure that?
And the parameters have no default value because I can not give a default value as not everybode has the same authorization.
 
Spent the better part of yesterday on this problem but not yet near a solution ... :-( 
 
Beside that I think presenting the link in plain text in the link is a bug. When I click on the link the second report is opened with the correct value and the URL is then encrypted. Why not present this encrypted URL? I tested it and when I copy it and paste it in a new browser windows it shows the correct information. 
 
UPDATE : I am not allowed to disclose the designs :-(
UPDATE 2 : I fixed this by adding the security (lot's of javascript in our case) to the second report.