Many users of PHPM sites need to work on multiple records at the same time, so they open them in different browser tabs, but this can result in data corruption if master-detail tables are involved.
Imagine that you have a parent table (Companies) and a detail table (Staff)…
Begin on the list page of the Companies table, then:
1) view Company #1 in a new tab and click the “Staff†button to display the Company #1 employee records (master-detail page)
2) view Company #2 in a new tab and click the “Staff†button to display the Company #2 employee records (master-detail page)
3) switch to the Company #1 tab and click the “Add†button to add a new employee under Company #1
When that new employee record is saved:
a) it will actually be assigned to Company #2 when it should be assigned to Company #1
b) the master-detail page that displays after saving the record will show Company #2 information (along with the incorrectly-assigned employee record) – not Company #1 information as it should
This is because PHPM is taking the parent ID from the session, rather than from a hidden input / GET parameter passed through from the parent page.
The "session" approach is fine if users could be restricted updating one parent record at a time... but that's not possible.
There is a similar issue when editing detail records…
Begin on the list page of the Companies table, then:
1) view Company #2 in a new tab, click the “Staff†button to display the Company #2 employee records (master-detail page) and edit one of them
2) view Company #1 in a new tab and click the “Staff†button to display the Company #1 employee records (master-detail page)
3) switch back to the tab showing the edit page of the Company #2 employee
When saving that employee record:
a) it will be re-assigned to Company #1 when it should stay under Company #2
b) the master-detail page that displays afterwards shows Company #1 (and the re-assigned employee record) rather than the Company #2 details (the company that was being updated)
Please implement a secure fix for this issue ASAP.