cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Dhananjay_Patil
Helper IV
Helper IV

How to execute FetchXML query on button click

Hello 

Am using FetchXML to fetch entity records, but How can I pass dynamic parameters in FetchXML and execute FetchXML query on particular even like button click in PowerApps Portal?

Example:
I want to execute below FetchXML query on button click with some dynamic parameters in value field 

 

 

{% fetchxml DataList %}    
<fetch version="1.0" mapping="logical" top="50">
        <entity name="contact">
            <filter>
            <condition attribute ="fullname" operator ="eq" value="Dhananjay"/>
            </filter>
        </entity>
    </fetch>
{% endfetchxml %}

 

13 REPLIES 13

Hello @justinburch 

When I hit URL generated in GET method into browser all response data showing in browser

How can I apply security to this GET request?

Hi @Dhananjay_Patil,

Your security should be built in - that is, you should only be returning data you would typically show end users. If there are extra fields, remove those from the JSON response in the API's web template. If you only need one record, don't use a forloop - change it to something like 

{% assign fullname = params.fullname %}
{% fetchxml DataList %}    
<fetch version="1.0" mapping="logical" top="50">
        <entity name="contact">
<attribute name="contactid" />
            <filter>
            <condition attribute ="fullname" operator ="eq" value="{{ fullname | xml_escape }}"/>
            </filter>
        </entity>
    </fetch>
{% endfetchxml %}
{
  "result": {
    {% if DataList.results.entities.size > 0 %}
      {% assign result = DataList.results.entities[0] %}
      "id": {{ result.contactid | escape }}",
      "name": "{{ result.fullname }}"
    {% endif %}
  }
}

 If you're seeing more records than you should, then you might need to investigate your entity permissions to make sure users have appropriate security in place.

Hello @justinburch 

Agree with your point

Can we have more security while calling GET API by adding session token or anything else?

Hi @Dhananjay_Patil,

You shouldn't really need session tokens, as your portal's default CORS policy will prevent outside use, and the query enforces entity permissions (so if you try to use while anonymous, unless you've setup anonymous permissions it should return empty).

Security should really be driven by entity permissions. You only have access to the URL parameters in Liquid, and for anything more sophisticated you'll need to put the actual retrieval logic in a plugin or external API. If the former, you could try to emulate the marketing app and see if you can very the __RequestVerificationToken available on all pages, and if the latter, you'll need to use implicit grant flow mentioned previously.

I really think that as long as you have put decent though into both your entity permissions and your JSON response object you shouldn't have concerns. More information on how you set it up would give me more ability to provide insight, but I'm not sure how necessary it is.

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Power Apps June 2021

June Power Apps Community Call

Did you miss the call? Check out the recording here!

Users online (12,883)