Thanks for all the feedback guys! All very thought-provoking and useful stuff. Sorry I left in the middle of it.
Weirdly, I still just can't get Mats code to work as expected and see the same result as I did 4 years ago (I'd half forgotten about that post jay) where the two reported values are the same. Matt Holthe's solution of setting the context document to nothing and back again still works, but I think I now prefer the db.getView("AllByUNID").getDocumentByKey(context.UniversalID) trick to get the backend document.
However I still think I prefer Tommy's solution of putting access-restricted fields on a subform that normal users don't see. The only downside to this being that the fields in the subform don't get added to a *new* document following a ?OpenForm/CreateDocument request.
Mark C. Disabled fields don't get submitted to the server by the browser. Yes, Firefox could re-enable the fields.
As for using temporary documents for the user and real ones in the backend, which the user can't access, this is something I'd try and avoid if I can, for the obvious reasons.
It's not that I have a current requirement that demands this level of paranoia. It's just that I've been doing quite a bit of work with XSS-prevention and editing hidden fields was one area I was looking in to. More late...
Thanks for all the feedback guys! All very thought-provoking and useful stuff. Sorry I left in the middle of it.
Weirdly, I still just can't get Mats code to work as expected and see the same result as I did 4 years ago (I'd half forgotten about that post jay) where the two reported values are the same. Matt Holthe's solution of setting the context document to nothing and back again still works, but I think I now prefer the db.getView("AllByUNID").getDocumentByKey(context.UniversalID) trick to get the backend document.
However I still think I prefer Tommy's solution of putting access-restricted fields on a subform that normal users don't see. The only downside to this being that the fields in the subform don't get added to a *new* document following a ?OpenForm/CreateDocument request.
Mark C. Disabled fields don't get submitted to the server by the browser. Yes, Firefox could re-enable the fields.
As for using temporary documents for the user and real ones in the backend, which the user can't access, this is something I'd try and avoid if I can, for the obvious reasons.
It's not that I have a current requirement that demands this level of paranoia. It's just that I've been doing quite a bit of work with XSS-prevention and editing hidden fields was one area I was looking in to. More late...