I came across this requirement when content editors are allowed to create/edit forms in the Form Designer but only some of them are allowed to view Form Reports of specific forms.
Challenges:
- We want to allow content authors to be able to edit forms in Form Designer
- We want to limit the access to Form Reports (users in a particular role can view a particular report i.e. users in Department A can view the report of Form A, users in Department B can view the report of Form B)
I came up with a naming convention for the role. Basically, when you create a form, you need to create a role in a specific format.
My naming format is: Form {form-name} Report Viewer
The role needs to be a member of sitecore\Sitecore Client Forms Author in order to create/edit form
I create 3 roles (format = Form {form-name} Report Viewer) and make them a member of sitecore\Sitecore Client Forms Author
To control the access to Form Report dynamically, I had to override the Form Reports button. This is to check if the current user is in the role that is allowed to view the report of the current form.
namespace YourNamespace { public class CustomRunFormDataViewer : Sitecore.Forms.Core.Commands.RunFormDataViewer { public override CommandState QueryState(CommandContext context) { if (!string.IsNullOrEmpty(WebUtil.GetQueryString("webform"))) { return CommandState.Hidden; } var item = context.Items[0]; string formName = item.Name; string roleName = string.Format("sitecore\\Form {0} Report Viewer", formName); if (Sitecore.Context.User.IsInRole(roleName) && item.TemplateName == "Form") return CommandState.Enabled; return CommandState.Disabled; } } }
To use this CustomRunFormDataViewer, I replace the forms:dataviewer command in /App_Config/Include/forms.config
<!--<command name="forms:dataviewer" type="Sitecore.Forms.Core.Commands.RunFormDataViewer,Sitecore.Forms.Core" />--> <command name="forms:dataviewer" type="YourNamespace.CustomRunFormDataViewer,CustomWffmDll" />
The following screenshot is when a user that is not in Form Apply for a Job Report Viewer clicks the Apply for a Job form item. Notice that the user can edit the form using Form Designer but cannot view the report (Form Reports button is disabled)
That is just to disable to button. If users try to access the Form Reports from some other ways i.e. Form Reports from the start menu, we need to secure the report page as well.
So, I added the role checking in the FormDataViewerPage itself.
namespace YourNamespace { public class CustomFormDataViewerPage : Sitecore.Forms.Shell.UI.FormDataViewerPage { protected override void OnLoad(EventArgs e) { string formName = CurrentItem.Name; string roleName = string.Format("sitecore\\Form {0} Report Viewer", formName); if (!Sitecore.Context.User.IsInRole(roleName)) return; base.OnLoad(e); } } }
Then I replace the default FormDataViewerPage with my CustomFormDataViewerPage in \sitecore\shell\Applications\Modules\Web Forms for Marketers\FormDataViewer.xaml.xml
<!--<Sitecore.Forms.Shell.UI.FormDataViewer x:inherits="Sitecore.Forms.Shell.UI.FormDataViewerPage,Sitecore.Forms.Core" >--> <Sitecore.Forms.Shell.UI.FormDataViewer x:inherits="YourNamespace.CustomFormDataViewerPage,CustomWffmDll">
Now, if you select the form that you don’t have access, you will see the blank report.