Now that I have set up Apache to forward requests with appropriate authentication headers, I notice that I can use this server like a second Orbeon Forms server. I'd like to prevent this to avoid confusing my users. Is there a subset of URIs that I can allow through the proxy that will enable the embedding API to function without allowing access to everything?
Sometimes complex forms take a little while to load when embedded in a page. Is there any way to bind an event listener to the embedded form to let me know when it is loaded? I'd like to be able to display a loading message and hide that message once the form loads.
Right now I use roles to set the visibility of various buttons on the form. Is there a way to control form visibility based upon whether the form is being embedded? I'd like to allow the use of the PDF button in the standard interface, but hide it when embedded because it doesn't work.
Thank you for the link to the client-side JavaScript API documentation. I totally missed that! I think it might be helpful to include a link there from https://doc.orbeon.com/form-runner/link-embed/javascript-api too.
I think we may be talking past each other a little bit with regard to access control. I am not allowing direct access to Orbeon Forms. All access is mitigated by a proxy. I would like to prohibit all requests through the proxy that are not necessary for the form I am embedding. For example, if all traffic generated by embedding a form is directed to paths below /orbeon/xforms-server/ then I could completely disallow paths below /orbeon/fr/ through the proxy. What is the minimal set of paths I need to allow through the proxy to enabled a form to be embedded with the JavaScript embedding API?
I'm following the example for setting a control value found at https://doc.orbeon.com/form-runner/api/other-apis/form-runner-javascript-api#setting-a-controls-value . It seems that ORBEON.fr.API.findControlsByName('control-name') cannot locate a control that isn't found on the currently active section of the wizard. Is there a way for me to set the value of a hidden control from JavaScript while handling the orbeonLoaded event?
In regard to the headers passed for header-driven authentication, is there any negative consequences of choosing not to pass a group? A single group per user is not useful in my application so I am using roles instead.
I think we may be talking past each other a little bit with regard to access control. I am not allowing direct access to Orbeon Forms. All access is mitigated by a proxy. I would like to prohibit all requests through the proxy that are not necessary for the form I am embedding. For example, if all traffic generated by embedding a form is directed to paths below /orbeon/xforms-server/ then I could completely disallow paths below /orbeon/fr/ through the proxy. What is the minimal set of paths I need to allow through the proxy to enabled a form to be embedded with the JavaScript embedding API?Got it! Good question, I don't have a list of paths you can exclude, and am just thinking "out loud" here: those requests should only be for the XForms server and assets (JavaScript, CSS, images), so a possible strategy might be only allow POSTs to `/xforms-server` and `/xforms-server/upload`, allow GET only if the content type returned by Orbeon Forms is different than `text/html`, and refuse all other methods?
I'm following the example for setting a control value found at https://doc.orbeon.com/form-runner/api/other-apis/form-runner-javascript-api#setting-a-controls-value . It seems that ORBEON.fr.API.findControlsByName('control-name') cannot locate a control that isn't found on the currently active section of the wizard. Is there a way for me to set the value of a hidden control from JavaScript while handling the orbeonLoaded event?The JavaScript code shouldn't be allowed to do something that the user isn't allowed to do, since the user can run JavaScript, so yes, you can't access fields in sections other than the one currently shown with JavaScript. Maybe you can move those fields to the first section?
I plan to work around this by assigning a different role when accessing through the embedding proxy than through the Orbeon Forms Server proxy. And then I will write conditions in my properties-local.xml to hide or show the appropriate buttons based upon the context determined from the roles. This would be made much easier if I could simply ask if the form was embedded.
I would argue that the user _can_ edit the field just not until the wizard section switches.
There is no such function right now, but it could be added fairly easily, I think, and I've created an RFE for this. https://github.com/orbeon/orbeon-forms/issues/4976