I have a number of applications that all use the authentication scheme that installs when you choose to add the 'Access Control' page, (APEX_ACCESS_CONTROL & APEX_ACCESS_SETUP) I also have a simple function that checks the user is in the table SS_USERS
create or replace FUNCTION ss_custom_auth ( p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS BEGIN For c1 IN (SELECT 1 FROM ss_users WHERE upper (userid) = upper (p_username) AND upper (password) = upper (p_password)) LOOP RETURN TRUE; END LOOP; RETURN FALSE; END;
The APEX_ACCESS_CONTROL works well allowing controls, pages, etc to be hidden or denied to anyone who is not an administrator. My problem is that anyone in the table SS_USERS can access all applications the ss_custom_auth is assigned to. Even if they are not in the 'Access Control List' when 'Restricted Access' is set, I am missing something. The authentication scheme seems to be ignoring the 'SETUP_ID' in the 'APEX_ACCESS_CONTROL' table.
Should my function somehow contain a reference to the setup_id? Can someone suggest where I am going wrong?