Pages

Pages

How to use Security filters to hide records from certain users

Use security filters to block users from seeing certain records.

It may be the case that you only want users to be able to see their own records in a table. You might be using something like an "ower_id" field in the table to track which user "owns" each record, and you want the "list" view to only show the records that are owned by that user.

This can be achieved using the [__filters__] section in your fields.ini file. See the __filters__ manual page for more information about this section.

Different filtering for different users

The __filters__ section of the fields.ini file will work great if you want every user to be subject to the same filter. However, if you want to be able to apply different filters to different users (e.g. Admin users aren't subject to filters, but the other users are), then you'll need to use some PHP.

The Dataface_Table class (as of version 0.6.13) has a setSecurityFilter() method that allows you to apply a security filter to the table. An appropriate place to apply this security filter might be in your Application Delegate class's getPreferences() method. For example:

function getPreferences(){
$mytable =& Dataface_Table::loadTable('my_table') ; // load the table named 'my_table'
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( $user and $user->val('rol') != 'ADMIN' ){
// We apply the security filter to non admin users.
$mytable->setSecurityFilter(array('owner_id'=>$user->val('user_id'));

}
return array(); // Mandatory!! getPreferences() must return array.
}
This will effectively make it so that logged in users that are not administrators will effectively only see records that are owned by them in the 'my_table' table.
Powered by Xataface
(c) 2005-2024 All rights reserved