14.3. Understanding InfoPath Security

There are three basic scenarios that a form template must support.

First, you need a way to simply gather data without any special programming or logic. You just want to present a simple dialog to users and let them fill in the fields you have declared in the form schema. Then you want to work with the data they have entered.

In the second scenario, you want to make the form more intelligent and dynamically control what data the user can enter. For example, you might have a list of departments in a SharePoint list, and you want to let the user choose a department name from a dropdown list in the form. For that, you need to put some code in the form to retrieve the list of departments from SharePoint and display them to the user, and so on.

In the third scenario, you need to add more sophisticated logic to the form. For instance, you might need to invoke some supporting code to validate the data, or you may want to include special programming for submitting the form data. These kinds of situations require writing managed code that is attached to the form and is executed on each machine where the form is installed.

Each of these scenarios maps broadly to one of three security modes that InfoPath recognizes. They are, respectively, restricted mode, domain security mode, and full trust security mode.

14.3.1. Restricted Security Mode

Consider the case where you only need to retrieve some data fields from the user. One way to do that might be to copy the XSN file to a central file share or send the XSN file to the user via email.

Outlook 2007 has been enhanced to enable users to fill out attached XSN files directly within the email editing environment. This only works for restricted mode templates and only for recipients who also have Outlook 2007 installed.

Restricted mode basically says that the form does not contain any code and is simply a container for data as described by the form schema. When a form template is published in restricted mode, a special marker is placed in the file.

Restricted mode has its advantages for developing business process automation solutions in SharePoint. Imagine a form that gathers data that is then used to create items and documents in one or more SharePoint document libraries. By coding the form for restricted mode, you could gather the data by sending the form as an email attachment. Outlook 2007 users could then fill out the form directly within Outlook and then forward it to an email-enabled form library to which you've attached a custom event receiver that decodes the form and performs the appropriate steps based on the data in the form.

14.3.2. Domain Security Mode

Domain security mode means that the form cannot connect to any server other than its host. This imposes limitations on how the form is coded. If a form is intended to be run in a browser, then it cannot have any code at all. If it does, then the form validation will fail and the form may not run correctly when deployed. Forms that run in the InfoPath client may contain code and can connect to resources on the same server. This is ideally suited to forms that are deployed to a SharePoint site that need to reference lists in the same domain. These types of forms can reference lists on other domains by using a data connection from a trusted data connection library in a site within the same domain.

14.3.3. Full Trust Security Mode

Fully trusted forms are either digitally signed or have been installed on the machine on which they are run. This includes the SharePoint server, meaning that an administrator has to install a form to the SharePoint server farm before it is fully trusted. It is not enough to simply upload and enable the form. The administrator must have direct access to the server machine so that the form can be properly registered. Once it has been properly registered, a fully trusted form can perform any function the developer can dream up, including accessing data from multiple servers on any domain and calling managed code. Forms that have been uploaded and installed on the server farm can be executed directly within the InfoPath client without being installed on the client machine.