I’m looking for some guidance on how to build a secure system where users submit an unsecured form which will the push the data to a “temp” table, create a user account and send an e-mail to them with a randomized password. Once the login with this new information, then the data in the Temp table get push into an official state/table. Each user would then only be able to see/update their individual entry, nothing else, but admin would have a separate area with full access for there needs.
This will obviously be using the Advanced Template with RBAC.
Are there any guides, samples, best practices for such a setup?
Thank you in advance, I truly appreciate any guidance you can provide on the matter!
The current advanced template provides for this requirement to some extent. First of all, I would not recommend creation of temp table and copying data over. That is a lot of trouble for nothing. The Advanced template allows a person to register and the user has to validate the email to allow access. This is a simpler and preferred approach that I believe satisfies your requirement.
For the restriction that only the user can update his/her profile: I assume in this case you have a new profile table that is a 1:1 relationship with the default user table created by the Advanced Template. You may add fields to the default user table instead, although I try to keep that user table pristine and not mess with it. Once you have the profile table, add a condition to the update query that the controller uses, to query only the record created by the said user. You can use the audit fields or better yet use the relationship field between the user table and profile table. On profile creation you will have to create the relationship between the user and your profile table.
Hope that helps and this does NOT require RBAC, but will require Advanced Template where most of this work is done for you.