Well, it all works if I force feed the params list.  If I do get it, I'll let you know.  Thanks for all the help!

No, it's just how I'm copying code into here... Here is what I am using:

^llctemp("query")="SELECT * FROM MyTable  WHERE  ((DateTime >= '2017-07-11 00:00:00') AND (DateTime <= '2017-07-18 23:59:59')) AND (Claim->Status->Name IN ('Paid')) AND (Claim->ClaimNumber = ANY (Select Claim->ClaimNumber from MyTable where Claim->ClaimNumber %INLIST ? SIZE ((10)) )) "

                   "returnParams")=1
^llctemp("returnParams",1)=$lb("2902700","2869840","2870820","")

That's my test data.  Then I say:

Set status = tRS.Execute(filterParams...)  // < -- look, I need the ... !!

Turns out I LITERALLY need the ...  ( ! )

Now I'm not getting the <LIST> but I'm also not getting data!  Sigh.  I'll get it.  I am rushing a little, so that's messing me up.  I think with all this, I can get it to work at some point.  Thanks!!
  

No, I am using %INLIST -- it's all the other where clauses that are using IN, with concatenation. I had read that %INLIST would use the same cached query, or something, so decided %INLIST was better, then ran into this problem where I now have to pass in an Execute parameter, whereas all of the other params are basically hard-coded.  

Here's a copy of my query that was built:

SELECT * FROM MyTable  

WHERE  ((DateTime >= '2017-07-11 00:00:00') AND (DateTime <= '2017-07-18 23:59:59')) AND (Claim->Status->Name IN ('Paid'))

AND (Claim->ClaimNumber = ANY (Select Claim->ClaimNumber from MyTable where Claim->ClaimNumber %INLIST ? SIZE ((10)) ))

The last line is mine.  Shoot.  It was working when I passed in a $lb like this:

set filter = $listfromstring(filterClaims)   //build my $lb() for the Execute parameter
set returnParams = $lb(filter)  //$lb($lb(1,2,3), hypothetical param2, ... ,paramN)

set param1 = $lg(returnParams,1)   //param1 = $lb(1,2,3)
// ... set paramN = $lg(filterParams,n) ...
Set status = tRS.Execute(param1)

but now, with the returnParams as an arity (that's cool, btw),  I'm getting a <LIST>.  If necessary, I'll go back to the forced "param1" thing, because this is an urgent fix.  I can play around with it later.

Yes, exactly.  We are building the sql statement line by line; the where clauses are built based on user input, and the whole mess is concatenated with actual values.  hmm.  But essentially, it looks like the params array is what I needed.  Except that I'm getting a <LIST> error, so I have to go back and look at that.  I'm on 2014.1.3.

Thanks!

Oh no, good to know about concatening values instead of using ? Execute params.  I should go rewrite the entire query!  It has so many optional parameters though, so I'll go look at the Rubens/Timothy solution.  Thanks.

So this is not a good way to build the where clause:

"Set where(16)=InstancePrefix_"PayerName IN ("_valuelist_")""

?

And by the way I like the <pre> tag - nice touch.  Can we call ..EscapeHTML or does that require a license/connection?

John, thanks for the response. I might ask this explicitly in the DC later, but I'll have to look at my notes before I do, as I'm sure I'll get some flak.  Just for informational purposes: we were instructed to restrict our users to a  single tab in our web application.  I know this is not how a web application is supposed to work (according to many users on google groups writing about this sort of thing), but the directive came from above.  I wrote simple logic to check if a user has a session already, and if so, he can't open a second tab. Sometimes, due to a bug, or timeouts on queries, the logic thinks the user has a second session when he does not.   At that point the user can't even log into the application. It's at this point that he'll have to call IT, who will have to call a developer, who can then kill his sessions manually from the management portal.  I was trying to give the users a way to "reset" or "clear" their own sessions (logging in first to a separate page perhaps) so that they can use the application again.  When I first began to look at this, I realized that most of this has to be done in the %SYS namespace; hence the problem, and its relavance to this question about changing their own password.

However, it hasn't been an issue (yet), so it's on my back burner. When it becomes an issue I'm sure I'll be back asing about it.

As always, thanks for the help.

Laura

Well, that helps.  Thanks.  I can't forsee any reason to make it more complicated, unless there is some huge benefit that I'm overlooking? Ah, I was thinking of changing the emails to a list of users, and getting their emails from the user table, so maybe that's a future benefit.

I extended the %Net.MailMessage for one object, and had such a pain of a time stuffing the To prooperty and retrieving it again (it's a list of %String). This time I was thinking a simple %String would be nice, as long as I can use it with SQL, and stuff.

Thanks,

Laura

Ah, thank you.  While playing around with ^SECURITY, I had enabled all users EXCEPT UnknownUser (of course), and after checking out the auditing area of ^SECURITY (thanks for that tip), I saw that it was indeed UnknownUser that is trying to log into the management portal.

I did not know about that step, that the CSP gateway has to log in first to serve up a page.  What user is normally used for this?

Thanks,

Laura

So, I created a new Role, called TaskAdmin.  To this role, I added 3 privs:

%Admin_Task

%DB_CACHESYS

%Development (so user could login to terminal)

I included the only tables I could find in %SYS that are relevant: 

%SYS_Task.Config

%SYS_Task.History

I added my own tables and views that use these tables.

To this role, I added a new user called task_admin, to test a query from the terminal.  i.e. I created a new user, task_admin, and added this single role.

This test user, task_admin, can run the SQL shell in the terminal and select * from %SYS_Task.History. (%SYS.Task is a different story!).  So, success.

In order for a real user to see my table, which is a mix of %SYS.Task, %SYS_Task.Histoy, and my own tables, and my own view based on those same tables, I had to add my own tables and views to the role TaskAdmin as well; but it did work finally work.

I also remembered seeing somewhere that embedded SQL  does not check SQL privs, which is maybe why I could see all this table data in the <tablePane> without adding tables. (?) I admit that the user looking at my table data did have %Admin_Task and %DB_CACHESYS privs already (from some role). But the user could not call a query/view that queried %SYS_Task.History directly until I added my own tables.

Yes, I really l mean that about the <tablePane>.  My user had the privs, but not the tables, and yet could see the data in a <tablePane>.  Is this included in embedded SQL?

So, basically I think I got it, and the real user needed my tables/view added to a role; the test user needed the %SYS tables added since he (it) was querying just the %SYS tables.

Thank you for your help!

Laura

OK, thank you; We'll have to take a look.  

I need some kind of Authenticated flag to check, and if false, use OnPreHTTP to call %response.Redirect... 

But the login page is already the Login page, which forces the user to authenticate first; it also go to the login page upon logout.

I tried this on some random web application; clicking on a bookmark brought me immediately to their login page; I didn't even have to login to get redirected.

Ooh, fun, thanks.  Can I use it with %ListOfDataTypes too?  I have both returned from methods, and I need to use them in the %session array.  

But what else?  How do you run it?  Do you need to be in a %csp session?

I have the %ALL:

%SYS>w $roles
%All

Attempt to run it as a class method:

%SYS>w ##class(%CSP.Session).LogoutAll("laura1") 
W ##CLASS(%CSP.Session).LogoutAll("laura1")
^
<METHOD DOES NOT EXIST> *LogoutAll,%CSP.Session
%SYS>

Try it with a session object:

%SYS>s session=##CLASS(%CSP.Session).%OpenId("fBOZJihk0C")
 
%SYS>w session.LogoutAll("laura1")
 
 quit $$LogoutAllUserSessions^%SYS.cspServer(username, %request, %response ) }
 ^
<UNDEFINED>zLogoutAll+1^%CSP.Session.1 *%request
 

And from a connected session with the user that needs to logout of all sessions:

ERROR #822: Access Denied
%SYS>

So I'll have to connect to the application as a developer in order to kill off sessions that are causing problems.  The user can't wipe them out himself.  I get a "problem session" if the page times out and the user kills the page; this causes the session to hang around until its timeout, and due to our specific setup, he can't log in again until the session times out or a developer kills it from Session Management. I wanted to give the user the ability to wipe out all of his own sessions.

No need to discuss grouping by sessionId or anything like that - we have a very specific setup such that flags are set and the user can't login again if he kills his page. 

Now, how can I intercept this error and call the logout? That would be better...

Thanks,

Laura

That's a good idea. For future reference, here's an example:

http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY…

(see the Example section).  I'll probably try it after consulting with some other programmers. I'm not sure it's critical to know, at this point.  But it would be interesting to know.

Thanks,

Laura

AH.  IF we use cookies, they will be stored in the Session Cookie Path.  We don't, but the Application must use at least the one login cookie to pass authentication between applications.  I can see it in my browser, and it's called CSPSESSIONID +other stuff.  

I'm thinking that this login cookie would be used somehow if the Login Cookie is selected? Or not used?  We don't want that either-- we like the continuity between applications. But, what does happen if the Login Cookie is selected in the web application?

What could we store in a cookie?  Can we possibly find out if a second tab has been opened by using a cookie?

nope.  i'm talking about Cache web applications. There are two properties onthe web application page: Loging Cookie, and Session Cookie Path.  The Session cookie path is a path.  We set all of our applications to use the same session cookie path. We do not have the Login Cookie option set.  So, presumably all of our applications use the same (cache) authentication because of the session cookie path.

Jsut wondering what would happed if I check that little Login COokie Path box.

I also see cookies in my browser, with the same session ID as some of my CSP sessions. Wondering what that cookie is.  Not a login cookie?

Thanks,

Laura