Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support locking fields with external sources #396

Open
8 tasks
RonnyB71 opened this issue Jan 15, 2024 · 0 comments
Open
8 tasks

Support locking fields with external sources #396

RonnyB71 opened this issue Jan 15, 2024 · 0 comments
Labels
kind/user-story Used for issues that describes functionality for our users.

Comments

@RonnyB71
Copy link
Member

RonnyB71 commented Jan 15, 2024
edited
Loading

Description

Background
Altinn Apps support the concept of prefilling data model fields as part of the instantiation process. For example you can prefill the user social security number, name, address simply by configuring this in the app. You can also add custom prefill data by adding custom code that does api lookups and write values to the data model. This can be done both as part of the instantiation of a form or during the form filling process.

These prefilled fields may, or may not, be exposed to the end user as a field in the form. Regardless if these prefilled data fields is exposed in the form or not, these data fields might be included in the data model when updating the data. They might be hidden and computed by an expression or, for a user with technical skills you can find the data model in the browser and modify the data. To avoid the user submitting wrong data, intentionally or unintentionally, a best practice is to run prefill actions and api lookups again before the data is submitted.

Solution
The best practice implies that someone, typically a developer, would have to contribute some code in the app. We would like for that to be configurable in Altinn Studio and enforced automatically by flagging the protected fields in the data model as "Protected - has external source" (or something similar).

Additional Information

Tasks

No response

Acceptance Criterias

  • This should be enforced on updates, but instantiation endpoints should allow writing to all fields
  • This needs to be supported on V7 as well as V8 of the backend packages
    • V7 implies that the PUT endpoint needs to handle this. This means that it needs to compare the incoming model with the currently stored model in order to determine if someone tries to update locked fields.
    • V8 implies that the new PATCH endpoint needs to handle this. This can check the patch request directly, hence avoid comparing data with the stored model.
  • It should be a way to configure the fields that can't be updated calling the external api's
  • It should however for an app developer to set these fields in backend code.
  • AllowOverwrite on the prefill configuration should be respected
  • Any attempt to updated locked fields should result an error from the endpoint to the calling client (probably a 400 Bad Request)
@RonnyB71 RonnyB71 added kind/user-story Used for issues that describes functionality for our users. status/draft Status: When you create an issue before you have enough info to properly describe the issue. labels Jan 15, 2024
@RonnyB71 RonnyB71 removed the status/draft Status: When you create an issue before you have enough info to properly describe the issue. label Jan 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/user-story Used for issues that describes functionality for our users.
Projects
Team Apps
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RonnyB71