Hi,
I use BEFORE SQL QUERY events to add where clauses to SQL statements in ASPRunner in order to implement row level security based on users who are logged in.
Everything works fine, but I just noticed an issue that I didn't realize before.
Let's say I have a list page that has a before sql query event. It works great filtering based on user. On that page, each record has a link to another list page for sub-records (via ASPRunner page joining).
The user clicks the link to go to the sub-list page. In the URL, there is a query string with the primary key value from the master table. Despite the fact that the Before SQL Query event is imposed on the master list page, the user can go up and change that value and the master table values will display if they pick a primary key value that exists even if it was not in the data set limited with the strWhereClause. On this sub-list page I have strWhereClause imposed as well, so if they change it to a data set on which they don't have permissions, no records display, but if they click the add button from the sub-list page they can add records using the value in the query string.
Is there a possible work-around for this? I hope what I am saying makes sense. Thanks.