# HG changeset patch # User Paul Boddie # Date 1383866004 -3600 # Node ID e9ae4ed6cbc5efb1af3c6f3fcf10ae17a56b0c77 # Parent 4f6a13846f8fddff689ac461ca4e30d410762063 Added descriptions of subpage storage and form retrieval. Added form-specific ACL policy details. diff -r 4f6a13846f8f -r e9ae4ed6cbc5 pages/HelpOnMoinForms --- a/pages/HelpOnMoinForms Thu Nov 07 23:52:03 2013 +0100 +++ b/pages/HelpOnMoinForms Fri Nov 08 00:13:24 2013 +0100 @@ -248,7 +248,9 @@ === Storing Submitted Form Data === -The default form handler will store submitted form data in a `forms` subdirectory of the page on which a particular form appears, with each submitted form being encoded as a dictionary represented as a value encoded using Python syntax. +The default form handler will store submitted form data in a `forms` subdirectory of the page on which a particular form appears, with each submitted form being encoded as a dictionary represented as a value encoded using Python syntax. This data can be retrieved and used to populate a given form using the `load` request parameter with a value corresponding to the number of the stored form, subject to access rules described below. + +To store form data on subpages, the `storetype` form attribute can be given as `subpage` and thus any stored forms will then reside as subpages of the page showing the form. Such subpages will bear [[HelpOnAccessControlLists|access control lists]] broadly reinforcing the policies described below. Where a user can see these subpages (in RecentChanges, for example), they should also be able to visit those pages and be shown a link to a populated instance of the form showing the data stored in the subpage. === Restricting Access to Forms === @@ -272,7 +274,7 @@ Here, unprivileged users - those who may have been forbidden from changing the page and thus changing the form definition - may submit the form and store their submissions. The above table also summarises the permissions that may be specified along with their effects. -The `access` keyword supports the conventional [[HelpOnAccessControlLists|ACL]] syntax, and where spaces are present in the specified value, quotes should be placed around the value itself and not the `access` keyword and equals sign as well. +The `access` keyword supports the conventional [[HelpOnAccessControlLists|ACL]] syntax, and where spaces are present in the specified value, quotes should be placed around the value itself and not the `access` keyword and equals sign as well. Note that the `acl_rights_before` setting in the wiki configuration still applies before the stated `access` policy. {{{#!wiki important Note that in practice, any user with write access to a page can change the `access` criteria and grant themselves admin access to a form. Therefore, any use of forms where users are not generally to be trusted with the submitted data or the integrity of the form definition should be protected by a page ACL that denies write access to all but privileged users. The general users of the form can then be granted write access to it specifically.