I have a number of applications that all use the authentication scheme that installs when you choose to add the 'Access Control' page, (APEX_ACCESS_CONTROL & APEX_ACCESS_SETUP) I also have a simple function that checks the user is in the table SS_USERS
create or replace FUNCTION ss_custom_auth (
p_username IN VARCHAR2,
p_password IN VARCHAR2)
RETURN BOOLEAN IS
For c1 IN (SELECT 1
WHERE upper (userid) = upper (p_username)
AND upper (password) = upper (p_password))
The APEX_ACCESS_CONTROL works well allowing controls, pages, etc to be hidden or denied to anyone who is not an administrator. My problem is that anyone in the table SS_USERS can access all applications the ss_custom_auth is assigned to. Even if they are not in the 'Access Control List' when 'Restricted Access' is set, I am missing something. The authentication scheme seems to be ignoring the 'SETUP_ID' in the 'APEX_ACCESS_CONTROL' table.
Should my function somehow contain a reference to the setup_id? Can someone suggest where I am going wrong?