1.1 --- a/pages/HelpOnMoinForms Thu Nov 07 23:52:03 2013 +0100
1.2 +++ b/pages/HelpOnMoinForms Fri Nov 08 00:13:24 2013 +0100
1.3 @@ -248,7 +248,9 @@
1.4
1.5 === Storing Submitted Form Data ===
1.6
1.7 -The default form handler will store submitted form data in a `forms` subdirectory of the page on which a particular form appears, with each submitted form being encoded as a dictionary represented as a value encoded using Python syntax.
1.8 +The default form handler will store submitted form data in a `forms` subdirectory of the page on which a particular form appears, with each submitted form being encoded as a dictionary represented as a value encoded using Python syntax. This data can be retrieved and used to populate a given form using the `load` request parameter with a value corresponding to the number of the stored form, subject to access rules described below.
1.9 +
1.10 +To store form data on subpages, the `storetype` form attribute can be given as `subpage` and thus any stored forms will then reside as subpages of the page showing the form. Such subpages will bear [[HelpOnAccessControlLists|access control lists]] broadly reinforcing the policies described below. Where a user can see these subpages (in RecentChanges, for example), they should also be able to visit those pages and be shown a link to a populated instance of the form showing the data stored in the subpage.
1.11
1.12 === Restricting Access to Forms ===
1.13
1.14 @@ -272,7 +274,7 @@
1.15
1.16 Here, unprivileged users - those who may have been forbidden from changing the page and thus changing the form definition - may submit the form and store their submissions. The above table also summarises the permissions that may be specified along with their effects.
1.17
1.18 -The `access` keyword supports the conventional [[HelpOnAccessControlLists|ACL]] syntax, and where spaces are present in the specified value, quotes should be placed around the value itself and not the `access` keyword and equals sign as well.
1.19 +The `access` keyword supports the conventional [[HelpOnAccessControlLists|ACL]] syntax, and where spaces are present in the specified value, quotes should be placed around the value itself and not the `access` keyword and equals sign as well. Note that the `acl_rights_before` setting in the wiki configuration still applies before the stated `access` policy.
1.20
1.21 {{{#!wiki important
1.22 Note that in practice, any user with write access to a page can change the `access` criteria and grant themselves admin access to a form. Therefore, any use of forms where users are not generally to be trusted with the submitted data or the integrity of the form definition should be protected by a page ACL that denies write access to all but privileged users. The general users of the form can then be granted write access to it specifically.