First, create a new role in the user table called "DISABLED". I contemplated using a separate flag for this purpose so the original role would be preserved. But this is easier for now, and it has the added benefit of not giving out other permissions to this account by mistake in other delegate classes based on the original role (without checking the disabled flag).
Next, implement a new action in actions.ini:
- Code: Select all
[account_disabled]
template=Dataface_Account_Disabled.html
The purpose of this action and custom template is to display a more specific error message when the user tries to log in. Otherwise, the default error message of "Permission Denied" may be somewhat misleading.
Add a new permission and associate it with the new role in permissions.ini:
- Code: Select all
disabled = "Account Disabled"
[DISABLED]
disabled = 1
Finally, the bulk of the work is done in the Application Delegate. I'm sure there are some opportunities for improvement here, but it seems to work as is:
- Code: Select all
function getPermissions(&$record) {
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
$role = $user->val('role');
$perms = Dataface_PermissionsTool::getRolePermissions($role);
return $perms;
}
function getPreferences() {
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
// Disable all unnecessary features to unauthorized users
$disableFeatures = array(
'show_result_stats'=>0,
'show_jump_menu'=>0,
'show_result_controller'=>0,
'show_table_tabs'=>0,
'show_actions_menu'=>0,
'show_tables_menu'=>0,
'show_search'=>0,
'show_record_actions'=>0,
'show_recent_records_menu'=>0,
'show_record_tabs'=>0,
'show_record_tree'=>0,
'show_bread_crumbs'=>0);
if (!isset($user)) {
return $disableFeatures;
} else {
$role = $user->val('role');
if ($role == 'NO ACCESS' or $role == 'DISABLED') {
return $disableFeatures;
} else {
return array();
}
}
}
function beforeHandleRequest() {
$app = Dataface_Application::getInstance();
$query =& $app->getQuery();
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
// If the user is logged in with a disabled account,
// display the account_disabled action
if (isset($user)) {
$role = $user->val('role');
if ($role == 'DISABLED') {
$query['-action'] = 'account_disabled';
}
}
}
I also had to add another function and a condition to the "personal tools" actions in the actions.ini file in order to remove the "My Profile" and "Change Password" links. We don't want disabled users to access these functions, and the account disabled page should be as plain as possible (devoid of these other features).
- Code: Select all
[my_profile]
condition="(df_is_logged_in() and isactive())"
[change_password]
condition="(df_is_logged_in() and isactive())"
The isactive() function is defined separately:
- Code: Select all
function isActive(){
$user =& getUser();
if ($user and $user->val('role') <> 'NO ACCESS' and $user->val('role') <
> 'DISABLED') return true;
return false;
}
Enjoy!
Alan