roles/permissions question

A place for users and developers of the Xataface to discuss and receive support.

Postby shannah » Mon Feb 19, 2007 11:53 am

What version of Dataface are you using?
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby maxmokeyev » Mon Feb 19, 2007 12:42 pm

0.6.13r4
maxmokeyev
 
Posts: 9
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Mon Feb 19, 2007 1:03 pm

Circumstances where $record should be null:
1. Dataface is checking permissions for the whole table. (Many of the actions along the top bar have associated calls to getPermissions with a null record).

2. If the result set is empty (i.e. it says no records matched your request).

Your getPermissions method will be called several times per page load to check permissions on different things. Many times $record will be null, but if there are any records in the found set, there should be at least a few calls where $record is not null.

If you are sure that $record is always null and it should not be, then this is very strange indeed.
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby maxmokeyev » Mon Feb 19, 2007 1:23 pm

Well, I am not sure that it is, but that's what it seems like it. If I log in as admin, I get full access, if I log in as not admin, I get No Access. But there are definately records returned. (One thing, I am using a view instead of a table, but I don't see how that would change anyhting).

The other issue, is that the last "if" statement come back with an error. And I can't figure out why.
maxmokeyev
 
Posts: 9
Joined: Wed Dec 31, 1969 5:00 pm

Postby maxmokeyev » Mon Feb 19, 2007 1:58 pm

I changed the line for non-admin users to have read only access if the record is null. When I log in as a regular user, I see all the records with "NO ACCESS" in all the fields. Only the ones that belong to the user (after filtering) show me the information and allow to edit it. (still cannot add records though).
When I click on the on of the "NO ACCESS" records. I get the following:
"On line 324 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\PermissionsTool.php in function printStackTrace()
On line 341 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\PermissionsTool.php in function namesAsArray()
On line 794 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\Application.php in function namesAsString()
On line 1161 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\Application.php in function handleRequest()
On line 5 of file C:\Program Files\apache\htdocs\vtigerCRM\contacts\index.php in function display()

Warning: Invalid argument supplied for foreach() in C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\PermissionsTool.php on line 326

Warning: implode() [function.implode]: Bad arguments. in C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\Application.php on line 796"

And then the regular screen with
"
Errors

* Permission to perform action 'view' denied.
Requires permission 'view' but only granted ''.

"
maxmokeyev
 
Posts: 9
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Mon Feb 19, 2007 2:50 pm

One thing to be sure of is that your getPermissions method always returns something.
I.e. add a line at the end of your getPermissionsMethod to catch all other cases:
return Dataface_PermissionsTool::NO_ACCESS();

Another thing:
To avoid the list view from showing you all the records that you cannot access, you can use security filters. http://framework.weblite.ca/documentation/how-to/security_filters

Best regards

Steve
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby maxmokeyev » Wed Feb 21, 2007 4:07 am

Thanks for your help. Will keep playing with it to see if I can get the results I need.
maxmokeyev
 
Posts: 9
Joined: Wed Dec 31, 1969 5:00 pm

Postby geller » Wed Feb 21, 2007 5:37 pm

Can you give me a pointer as to why with my getPermissionsMethod I cannot insert new records!

I have narrowed it down to the ' return' 'READ_ONLY' part of the statement in the following line


if ( $record->val('UserID') == $user->val('UserID') ) return Dataface_PermissionsTool::ALL();
// otherwise we give read only access
return Dataface_PermissionsTool::READ_ONLY();


not sure how to get round this?
geller
 
Posts: 26
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Thu Feb 22, 2007 2:10 pm

Check out the example in the submission form tutorial (http://framework.weblite.ca/documentation/tutorial/submission_forms/permissions).

It shows you how to test for certain actions (e.g. -new : inserting new records) to provide special permissions in those cases.

-Steve
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby geller » Sun Feb 25, 2007 4:13 pm

I have added the following statement:-

if ( $query['-action'] == 'new' && $record->val('UserID') == $user->val('UserID'))
return Dataface_PermissionsTool::ALL();

And tested for $record->val('UserID') and $user->val('UserID') when inserting a record.I am still only getting read only permission suggesting the above statement is false?

Yet if I change the return action (just for arguments sake) to NO_ACCESS then the above statement appears to be true as I get permission denied?

function getPermissions(&$record){
// first get the currently logged in user
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
$app =& Dataface_Application::getInstance();
$query =& $app->getQuery();
// if no user is logged in, then we give no access
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
//echo $user->val('Role'); exit;

// Allows delete all function
if (is_null($record) && $user->val('Role') == 'ADMIN' ) return Dataface_PermissionsTool::ALL();

// insert new record stuff

//echo $user->val('UserID');
//echo $record->val('UserID');

if ( $query['-action'] == 'new' && $record->val('UserID') == $user->val('UserID'))
return Dataface_PermissionsTool::ALL();

if ( !($record)) {
return Dataface_PermissionsTool::READ_ONLY();
}

// If the logged in user has the same UserID as the restaurant, then
// this user is the owner of the restaurant.. he has full permissions.
if ($record->val('UserID') == $user->val('UserID') ) return Dataface_PermissionsTool::ALL();
// otherwise we give read only access

return Dataface_PermissionsTool::READ_ONLY();
}

Graham
geller
 
Posts: 26
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Tue Feb 27, 2007 1:00 pm

The problem you're experiencing is due to the fact that if you are inserting a new record, you won't be interested in the value of $record, because you're inserting a record and hence the record you are working on doesn't yet exist. Realistically $record should be null when inserting a new record, but I think that it is actually giving you the first record in the result set. Best to just ignore it in this case as it won't be giving you what you want.

Best regards

Steve
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: roles/permissions question

Postby sworden » Thu Mar 22, 2012 11:21 am

What is the easiest way to alter this code from a previous post.
shannah wrote:What you may want to try here is putting some output in certain places of your function so that you can see which logic path is being followed. (e.g. echo "here now")

As far as your permission denied error, I suspect that it is not even reaching the if ( $user and $user->val('role') == 'ADMIN'){
code. Likely isset($record) is true, so your if (!isset($record) ) gets stepped over.

In fact, unless there is a typo in the code you just pasted, it looks like you're missing a closing brace before if ( isset($record) ) because that if statement falls inside the previous if (!isset($record)) statement - which doesn't make a lot of sense.

Code: Select all
class conf_ApplicationDelegate {

    function getPermissions(&$record){
        $app =& Dataface_Application::getInstance();
        $query =& $app->getQuery();
        $auth =& Dataface_AuthenticationTool::getInstance();
        $user =& $app->getLoggedInUser();
       
        // IF user is not logged in, he gets no access
        if (!$user ) return Dataface_PermissionsTool::NO_ACCESS();
       
        // Admins get full access
        if ( $user->val('role') == 'ADMIN' ) return Dataface_PermissionsTool::ALL();

        // Users can edit their own records
        if ( $record and $record->val('owner') == $user->val('UserName') )
            return Dataface_PermissionsTool::ALL();

        // In all other cases, there is NO ACCESS
        return Dataface_PermissionsTool::NO_ACCESS();
       
    }


The above function does what you indended and it avoids problems with null $records and null $users.


to do the following:
In my database I have admins, mentors, and students. Currently, the admins have the ADMIN role, mentors have the EDIT role, and students have the READ-ONLY role. I would like the mentors to be able to view, add, and edit records for students that they are mentoring, but only view records for students they are not mentoring. Currently, this relationship is defined in the "applicants" table where the "mentor_id" field is a foreign key.

I think this code is close to what I want to do, but not quite there.
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Previous

Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 20 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved