Button URL specific record with Everyone on the Internet

  • 0
  • 1
  • Question
  • Updated 12 months ago
  • Answered
I send an email with a URL button directed to a record that needs to be updated by a specific employee.  I do not want other employees to be able to manually change the record id in the url and view other records, is there a way to embed something in the button url unique to that record that is not easily modified? 
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
I have not totally thought this through, but what if you made a formula field of the [Record ID#] of [Related employee]  plus 98765. Call this field [Calculated Secret Code] So employee record ID #1 would have a value of 98766.

Then when you send the link populate that field on the record called say [Access code].

For that EOTI Role, make a permission that they can only see records where the [Secret Code] = [Calculated Secret Code]
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
That is something is was trying to figure out as well.  How if I have a field with a "secret" code within record can I send it in on the URL to bring up that specific record.  More importantly, how could I then limit that EOTI Role to only that record based on that "secret" code.  I think we are both going down the same thought path, I just may lack the experience in the URL with an extra field. 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
Can I see the code for the link that you are sending?  Is it to add a record or view or edit a record? 
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
The code is simple:  

URLRoot()&"DB/"&[_DBID_xxxxx]  &"?A=API_EDITRECORD&rid="&[Record ID#]&
"&_fid_22=" & ToText(Now())&
"&rdr=" & URLEncode(URLRoot() & "db/" &[_DBID_xxxxx] & "?a=er&key="&[Record ID#]&"&dfid=12")


I have two fields, one called security code that I am setting, and other field called access code that I would want to set to equal security code. Then only allow users to view the page when those two match.  After a save of the record I would blank the access code through dynamic rules to prevent any unauthorized acess as a futher measure. 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
Try this

URLRoot()&"DB/"&[_DBID_xxxxx]  &"?A=API_EDITRECORD&rid="&[Record ID#]
& "&_fid_22=" & ToText(Now())
& "&_fid_999=" & ToText([Calculated Secret Code]


&
"&rdr=" & URLEncode(URLRoot() & "db/" &[_DBID_xxxxx] & "?a=er&key="&[Record ID#]&"&dfid=12")


//999 is the fid of the secret code field 
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Yes, that should work perfectly.  I guess that was pretty "thick" of me not realizing that line. 

Last question, the custom permission rule, can you have a rule that says Calculated Secret Code is equal to [secret code]  

It is an open text field for the second caparison factor so I wasn't sure if I could just add the field name or not. 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
Right, I often forget that the custom permissions are not very flexible. So you need to make a formula checkbox field to check that they equal and then the custom permission Rule will test if that formula checkbox field is checked.
(Edited)
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Great idea, thanks for all your help! 
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
I created the formula checkbox for the custom permissions, but my users still receive an error that they must login to edit.  I know the formula is working, but could this be because I am trying to update fields in the URL sending them into the record? 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
That does seem odd that they need to sign in if the app is open to everyone on the Internet for editing.  Are you sure that the EOTI Role is allowed to edit? (subject to that secret code rule)?
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Yes, when I removed the secret code checkbox = checked custom rule, everything worked perfectly.  Add the custom permission and it fails. Very odd. 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
If you sign off of QuickBase or better yet for testing use an alternate Browser which is not logged in, can you view the record?  Can you edit the record manually while not logged in?
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
I can edit and view the record manually, but when I try the URL where I update fields then display the page it fails. 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
So for the starrt of your formual whic is someting like this

URLRoot()&"DB/"&[_DBID_xxxxx]  &"?A=API_EDITRECORD&rid="&[Record ID#]
& "&_fid_22=" & ToText(Now())
& "&_fid_999=" & ToText([Calculated Secret Code]

... is that table being edited open to everyone on the internet?  ie is is the same table for API_EditRecord and the table for "?a=er
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Correct, same table in both places.
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
I'm grasping a bit now.  Have you disabled the need for Application Tokens in App Properties?
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Correct, Application Tokens have been disabled.  I can get around it using dynamic form rules, but really just wanted something at the User permission level. 
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
I think I have two suggestions.  One is to ask support if there is anything else you need to specify when using an API like that.  But I'm note sure if support offers API help.

Plan B is to set up a single generic userid for the button to use to sign in.


var text URLONE = urlroot() & "db/main?act=API_Authenticate&username=xxx&password=yyyyyy";

var text URLTWO = URLRoot()&"DB/"&[_DBID_xxxxx]  &"?A=API_EDITRECORD&rid="&[Record ID#]
& "&_fid_22=" & ToText(Now())
& "&_fid_999=" & ToText([Calculated Secret Code];

var text URLTHREE = URLRoot() & "db/" &[_DBID_xxxxx] & "?a=er&key="&[Record ID#]&"&dfid=12";

$URLONE 
& "&rdr=" & URLEncode($URLTWO)
& URLEncode("&rdr=" & URLEncode($URLTHREE))
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Thanks, I will try that.  Great suggestion. 
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
One final question (I hope),  if you recall I am remove the 'calculated secret code' at save&close and the check formula is unchecked basically securing the record.  Is there a way to clear that field if the user hits cancel?
Photo of QuickBaseCoach App Dev./Training

QuickBaseCoach App Dev./Training, Champion

  • 65,096 Points 50k badge 2x thumb
No - at least not natively.
Photo of Bradley Damron

Bradley Damron

  • 320 Points 250 badge 2x thumb
Thank you, and thanks for all your help