[Solved] Groups & Permissions Questions

A place for users and developers of the Xataface to discuss and receive support.

[Solved] Groups & Permissions Questions

Postby silma » Thu May 07, 2009 8:53 am

Hello,

First of all, please do not pay attention to my poor english...

Thank you for this application It work like a charm, and the documentation is really useful.


I still have a few questions regarding users permissions.
I've searched the forum, but I didn't find what I'm looking for. :oops:


I need 3 levels of permissions, and i've got trouble whith the third.

1- Admin : all access to everything
2- Users : all Access to their own records
3- Super Users : read access to the record of some of the users (but not all)

For exemple :
Super user 1 : access to the records of Users A, B D
Super User 2 : access to the records of Users C, E,F

I'm afraid that what I would really need is not a "belong to" relationship, like we do with an "owner_id" on each table, but a "many to many" relationship, and I don't know how I could do that whith the setSecurityFilter.

Or maybe am I completely wrong, and there's a much more simple way to do it ?

Can you give me a hint ?
Last edited by silma on Thu Apr 21, 2011 2:29 am, edited 1 time in total.
silma
 
Posts: 87
Joined: Tue Apr 28, 2009 11:47 pm

Postby shannah » Thu May 07, 2009 9:52 am

This isn't terribly difficult to do, but you need to take care to consider performance very carefully.

One way to do it is to create a table to track the relation between super user and record.

e.g.
Code: Select all
create table roles (
   record_id INT(11) not null,
   username varchar(32) not null,
   role enum('REGULAR USER', 'SUPER USER'),
   primary key (record_id,username)
);


Then you create a relationship from your table to this roles table:
Code: Select all
[roles]
    __sql__ = "select * from roles where record_id='$record_id'"


Then you can graft a column onto your records table to track the current user's role. Normally we would just implement the __sql__ parameter in the fields.ini file, but in this case the sql query depends on the logged in user, so we'll implement the __sql__() method in the delegate class instead:

Code: Select all
function __sql__(){
    $auth =& Dataface_AuthenticationTool::getInstance();
    $user =& $auth->getLoggedInUser();
    $username = '';
    if ( $user ) $username = $user->val("username");
    return "select rec.*, ro.role from records rec left join roles ro on (rec.record_id=ro.record_id and ro.username='".$username."')";
}


So now your records table effectively has a column called 'role' that specifies the current user's role with respect to the record.

You can then easily define your getPermissions method on the records table as follows:

Code: Select all
function getPermissions(&$record){

    if ( $record and $record->val('role')=='SUPER USER' ){
        // return super user permissions
    } else {
        // return different permissions (non super user).
    }




Hopefully this helps.

Note there are other strategies to achieve this goal, but keep in mind, for any strategy you should try to keep your getPermissions() method lean because it could be called hundreds of times per request.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby silma » Thu May 07, 2009 11:30 am

Thanks a lot for this quick reponse, I'll try that !
silma
 
Posts: 87
Joined: Tue Apr 28, 2009 11:47 pm

Postby silma » Mon May 11, 2009 7:08 am

Hello,

It gave me some work to understand it well, but your solution is now working on my locahost, so, thanks again !

I still have an issue, that maybe come from the left join:

I cannot add record anymore in the table where the permissions system works.

When I choose "add record", there only the "register" button that appear, not the fields.

And , of course, if I try to push the button register it tells me "Could not insert record "NO ACCESS" from table "mytable" because you have insufficient permissions", which is logical : i have not set role for records that doesn't exist...

I'll continue to search :D
silma
 
Posts: 87
Joined: Tue Apr 28, 2009 11:47 pm

Postby shannah » Mon May 11, 2009 11:38 am

Make sure that your role includes the 'new' permission.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby fongchun » Mon May 11, 2009 11:39 am

Can you post your revelant code? As in what table as the permissions, etc?
fongchun
 
Posts: 30
Joined: Sun Aug 03, 2008 12:23 am
Location: Vancouver, BC

Postby silma » Tue May 12, 2009 2:39 am

Hello,

In fact, I've made two mistakes : One in my function getPermissions, with the "return" statement, and the other in choosing the role I extended. (Owner)


It's too early to declare victory, but it seems to work by now.

I'll try to extend this permission systeme to all my app and make some tests.

When I'll be sure everything is fine, i'll post my code here : if somebody has the same need, it may help.

Thanks again !

Edit : i realized i forgot to post the code before so here it is :

The Role table is as described by Steve.

Others table should have a field that indicates their membership, mine is "MouvrageID"


in the table delegate class :
Code: Select all
class tables_compteur {


    function __sql__(){
      $auth =& Dataface_AuthenticationTool::getInstance();
      $user =& $auth->getLoggedInUser();
      $username = '' ;

        if ( $user ) $username = $user->val("Username");

        return "select compteur.*,roles.Role FROM compteur LEFT JOIN roles  ON (compteur.MouvrageID=roles.record_id and roles.Username='".$username."')"; 
   }
   

   function getPermissions(&$record){

      $auth =& Dataface_AuthenticationTool::getInstance(); $user =& $auth->getLoggedInUser();
      if ( $user and $user->val('isadmin')==1 ){
         return   Dataface_PermissionsTool::ALL();   }
      else if ( $record and $record->val('Role')=='SUPERUTILISATEUR' ){
         return  Dataface_PermissionsTool::getRolePermissions('SUPERUTILISATEUR');   }
      else if ( $record and $record->val('Role')=='OPERATEUR' ){
          return Dataface_PermissionsTool::getRolePermissions('OPERATEUR');   }
          else {
           return   Dataface_PermissionsTool::getRolePermissions('PAS ACCES');   }


   }
}


Permission ini
Code: Select all
[SUPERUTILISATEUR extends READ ONLY]

[VOIR extends READ ONLY]

[OPERATEUR extends OWNER]
delete found=1

[ADMINISTRATEUR extends ADMIN]

[PAS ACCES extends NO ACCESS]
list=1

silma
 
Posts: 87
Joined: Tue Apr 28, 2009 11:47 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 20 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved