Paul Galvin's SharePoint space [SharePoint MVP]

I’m still living in InfoPath Forms world and I needed to make one of those “small” changes to a form that, unfortunately, breaks a naming convention I adopted with it two weeks ago.  I thought to myself, “someone is going to look at this thing a year from now and say, ‘What was Paul thinking?  By Jove, his naming convention makes no sense!”

I realized that I could create a view on the form for this and then, once again, realized that I could have been doing something like this all along.  I added a “Developer Notes” view to the InfoPath form as such:

I’ve configured the form so that users can’t get to that view and therefore, it’s only visible with the InfoPath client in design view.  Now I feel a little inoculated against some future unknown developer looking at my form and thinking bad thoughts about me.  Phew!

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

I seem to go through InfoPath phases where, out of the blue, I’m crafting a bunch of forms.  My fingers learn how to use the tool well and then I go through nine month drought and have to learn it all over again. 

I’m in the middle of an InfoPath phase and I’m creating InfoPath forms with a lot of views. One thing you probably notice is that the InfoPath 2007 client shows views in alphabetical order.  This is a real nuisance some times.  My best technique these days is to prepend a number to the view name so that they always show in the order I want, as illustrated here:

I wish I had been doing this all along. 

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

I’ve been working on some InfoPath forms this week in MOSS in an FBA environment and learned, when I went to deploy the forms to a production environment with an FBA zone that the username() function function does not work.  I was using it to generate unique file names.

Well, that function doesn’t work in an FBA environment (at least, not out of the box).  And, upon reflection, using username in the way I had planned wouldn’t have guaranteed a unique file name in any event.

My solution was to use the now() function and a rule that fires on loading of the form.  I assign the file name to data element when it’s blank:

The advantage of this approach is that the file name is set only once.  (I don’t show it in the screen shot, but put a condition on the rule to only fire when “myFilename” is blank).  I used to set the file name at the data source level.  Typically, I would do something (bad) like this:

The problem with that is that if user A opens the form on Monday and the user B changes it on Tuesday, you’ll end up with two different forms since two different users saved it with different user names.

So, as annoying as FBA can be in general and with InfoPath in particular, it made me re-think a small but really important technical detail and approach that I wouldn’t have done otherwise!

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

This is another post in my on-going series on how to use jQuery with SharePoint.
If you want to learn more about jQuery, I highly recommend: jQuery in Action by Bear Bibeault and Yehuda Katz.

One of the first things I thought, once I started to play around with jQuery, was whether we could use it to secure a SharePoint view.  The answer is “no” (or at least, I’m not claiming it’s possible).  However, it is certainly possible to make it difficult for people to see a particular view. 

I started with my sandbox environment when working on this.  I wrote about that environment here: Quick and Easy: Create Your Own jQuery Sandbox for SharePoint.  

To “secure” a view, follow these steps:

1. Create a view you want to secure.  I did that and called it “Secured View”.
   
   This is what it looks like when it’s not “secured”:
   
    
   
2. Add a content editor web part to the view’s page using the trick described in the sandbox article (i.e. add “PageView=Shared&ToolPaneView=2” to the URL).
3. Figure out  your SharePoint _spUserId by following these crazy steps, believe or not:
   1. Log into your SharePoint environment.
   2. In the web browser’s address field, type: “javascript:alert(_spUserId”).
   3. Record the result (it’s “13” in my case).
      
      
4. Add the following javascript to your CEWP in code view:
   

   <script type="text/javascript" src="../../jQuery%20Library/jquery-1.3.2.min.js"> </script> <script type="text/javascript"> $(function() { alert(_spUserId); var theSecuredView = $('iframe[FilterLink*=Secured%20View]'); if ((theSecuredView.length > 0) && (_spUserId == 13)) $('iframe[FilterLink*=Secured%20View]').parent().parent().parent().html("<tr bgcolor=red><td>No view for you!</td></tr>"); }); </script>

I’ve included that alert(_spUserId) line in there to demonstrate how this is not really a “securing” a view, but simply making it more difficult to see.  More on that in a moment.

Basically, jQuery is looking for an iFrame on the page who has an attribute that contains “Secured%20View” in its value.   Once it finds it, we check to see if the current user is “13”.  If it is, we walk up the DOM to a <TR> tag (which I figured out by viewing source and tracing it) and then replacing that TR tag with my message. I really don’t know how robust this is (I’m very suspicious, in fact), but it worked in my sandbox.  If I find a better way, I’ll blog about it. This is the result:

I click the OK button and the data is replaced with a big red message:

As you can tell, the way I’ve implement this “security” solution is to allow the web part to render itself.  After it finishes, I overwrite its content with my “No view for you!” message.

Despite the fact that it’s not really a “secured'” view, it’s potentially useful and with some clever work, it may eventually be securable in a more formal sense.  The fundamental issue is that the client is getting all the data and then, only after it gets the data, it wipes it out.  If the client is getting the data, a clever user can prevent the jQuery from running at all and see what he/she wants to see.

There are other drawbacks.  This “security” approach is based off a _spUserId.  We’d want to really secure based on the full SharePoint security model, or at least by user name.  That becomes progressively harder, but I see some good stuff written on this subject, so I’m hopeful there’s a good answer to that problem.

The list of views themselves should be trimmed, if possible.  I haven’t tried to figure that out.  I assume it’s possible, but doesn’t really solve the fundamental security issue because someone could still just type the URL of the view they want (if they knew it).  However, trimming makes sense.  It’s a good usability feature and it helps to obfuscate things.  If an end user doesn’t know that the view event exists, they probably won’t try to use it.  Sometimes, that’s good enough.

With luck, I’ll have more to write on this subject over time.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

This is another post in my on-going series on how to use jQuery with SharePoint.
If you want to learn more about jQuery, I highly recommend: jQuery in Action by Bear Bibeault and Yehuda Katz.

Previously, I wrote about how to use jQuery to locate and hide a text field on a form.  I didn’t care for the specific approach (I was chaining parents – that’s simply isn’t done these days, at least in families of quality). 

When I first started to think about it, I knew I needed to find a <TR> to which I could invoke the hide() method.  My early effort to find the correct <TR> was something like this:

$('tr:has(input[title=Hide Me!])');

The problem with that is that it would find every <TR> tag that had any parent relationship to the Hide Me! field, even if Hide Me! is nested many levels deep in <TR>’s.  It turns out that on my sandbox form, that expression finds 9 different TR’s who have Hide Me! as a child somewhere in its DOM tree.  I realized that I could walk back up the tree from the input field itself, so that’s how I ended up abusing parents, but it didn’t sit well with me.

I gave some thought to this and one of the things I read finally made sense: I could use the not() method to trim out <TR>’s I don’t want in my wrapped set.  That led me to this:

$('tr:has(input[title=Hide Me!])').not('tr:has(tr)').hide();

The first bit finds all the <TR> tags that have the Hide Me! field anywhere in their own hierarchy.  It then strips out any <TR> that also have a child <TR>.  This leaves us with a single <TR> that:

1) Has no <TR> child records

2) Does have the input field as child. 

We can then apply the hide() method to the resulting set and we’re done.

I’m still a bit nervous about this, but not as nervous as chaining parents.

I don’t know if this is a best practice or not.  There may be a more appropriate way of identifying just the <TR> that we care about in a SharePoint form.  If you know, please post a comment.

</end>