FileMaker Tip: autoenters and security
This week, a tip for FileMaker developers:
If access for a user to a particular record is dependent on data in a field in that record, be aware that, when a new record is created, autoenter calculations and lookups will not execute.
For example, user Jon creates a new record in the contacts table. Access to records in the contacts table is dependent on the field
recordOwner having his user account name in it.
FileMaker and Autoenter
If the field is populated by autoenter data, or autoenter creation account name, the field will get populated before committing, and after the record is committed he will still have access to the record.
However, if the field is populated a lookup or an autoenter calculation, it will not get populated until the record is committed.
The 'gotcha' is that security (i.e. record access) is assessed before autoenter and lookups—therefore, at the point that security is assessed, the
recordOwner field still blank, and Jon does not have access to the record.
The subsequent attempts of autoenters and lookups will fail, as Jon's account has no access to the newly committed record, and Jon remains locked out of his new record.
One way round this is to all access to a record if
recordOwner has the user’s account name, or if the record is less than a few seconds old:
exact( Contacts::recordOwner ; get(AccountName) ) or ( get(CurrentTimestamp) - Contacts::CreateTimestamp
This allows a short window after record committed for the autoenters and lookups to take place. It shouldn’t comprise the record-level security too badly (although I should look at alternative ways of setting record access if the data is ultra-sensitive).
With thanks to Dr Jonathan Jeffery for this post's contents!