[Solved] Groups & Permissions Questions

[silma]

Hello,

First of all, please do not pay attention to my poor english...

Thank you for this application It work like a charm, and the documentation is really useful.


I still have a few questions regarding users permissions.
I've searched the forum, but I didn't find what I'm looking for.


I need 3 levels of permissions, and i've got trouble whith the third.

1- Admin : all access to everything
2- Users : all Access to their own records
3- Super Users : read access to the record of some of the users (but not all)

For exemple :
Super user 1 : access to the records of Users A, B D
Super User 2 : access to the records of Users C, E,F

I'm afraid that what I would really need is not a "belong to" relationship, like we do with an "owner_id" on each table, but a "many to many" relationship, and I don't know how I could do that whith the setSecurityFilter.

Or maybe am I completely wrong, and there's a much more simple way to do it ?

Can you give me a hint ?

[shannah]

This isn't terribly difficult to do, but you need to take care to consider performance very carefully.

One way to do it is to create a table to track the relation between super user and record.

e.g.

Code: Select all

create table roles (
   record_id INT(11) not null,
   username varchar(32) not null,
   role enum('REGULAR USER', 'SUPER USER'),
   primary key (record_id,username)
);


Then you create a relationship from your table to this roles table:

Code: Select all

[roles]
    __sql__ = "select * from roles where record_id='$record_id'"


Then you can graft a column onto your records table to track the current user's role. Normally we would just implement the __sql__ parameter in the fields.ini file, but in this case the sql query depends on the logged in user, so we'll implement the __sql__() method in the delegate class instead:

Code: Select all

function __sql__(){
    $auth =& Dataface_AuthenticationTool::getInstance();
    $user =& $auth->getLoggedInUser();
    $username = '';
    if ( $user ) $username = $user->val("username");
    return "select rec.*, ro.role from records rec left join roles ro on (rec.record_id=ro.record_id and ro.username='".$username."')";
}


So now your records table effectively has a column called 'role' that specifies the current user's role with respect to the record.

You can then easily define your getPermissions method on the records table as follows:

Code: Select all

function getPermissions(&$record){

    if ( $record and $record->val('role')=='SUPER USER' ){
        // return super user permissions
    } else {
        // return different permissions (non super user).
    }



Hopefully this helps.

Note there are other strategies to achieve this goal, but keep in mind, for any strategy you should try to keep your getPermissions() method lean because it could be called hundreds of times per request.

-Steve

[silma]

Thanks a lot for this quick reponse, I'll try that !

[silma]

Hello,

It gave me some work to understand it well, but your solution is now working on my locahost, so, thanks again !

I still have an issue, that maybe come from the left join:

I cannot add record anymore in the table where the permissions system works.

When I choose "add record", there only the "register" button that appear, not the fields.

And , of course, if I try to push the button register it tells me "Could not insert record "NO ACCESS" from table "mytable" because you have insufficient permissions", which is logical : i have not set role for records that doesn't exist...

I'll continue to search

[shannah]

Make sure that your role includes the 'new' permission.

[fongchun]

Can you post your revelant code? As in what table as the permissions, etc?

[silma]

Hello,

In fact, I've made two mistakes : One in my function getPermissions, with the "return" statement, and the other in choosing the role I extended. (Owner)


It's too early to declare victory, but it seems to work by now.

I'll try to extend this permission systeme to all my app and make some tests.

When I'll be sure everything is fine, i'll post my code here : if somebody has the same need, it may help.

Thanks again !

Edit : i realized i forgot to post the code before so here it is :

The Role table is as described by Steve.

Others table should have a field that indicates their membership, mine is "MouvrageID"


in the table delegate class :

Code: Select all

class tables_compteur {


    function __sql__(){
      $auth =& Dataface_AuthenticationTool::getInstance();
      $user =& $auth->getLoggedInUser();
      $username = '' ;

        if ( $user ) $username = $user->val("Username");

        return "select compteur.*,roles.Role FROM compteur LEFT JOIN roles  ON (compteur.MouvrageID=roles.record_id and roles.Username='".$username."')"; 
   }
   

   function getPermissions(&$record){

      $auth =& Dataface_AuthenticationTool::getInstance(); $user =& $auth->getLoggedInUser();
      if ( $user and $user->val('isadmin')==1 ){
         return   Dataface_PermissionsTool::ALL();   }
      else if ( $record and $record->val('Role')=='SUPERUTILISATEUR' ){
         return  Dataface_PermissionsTool::getRolePermissions('SUPERUTILISATEUR');   }
      else if ( $record and $record->val('Role')=='OPERATEUR' ){
          return Dataface_PermissionsTool::getRolePermissions('OPERATEUR');   }
          else {
           return   Dataface_PermissionsTool::getRolePermissions('PAS ACCES');   }


   }
}


Permission ini

Code: Select all

[SUPERUTILISATEUR extends READ ONLY]

[VOIR extends READ ONLY]

[OPERATEUR extends OWNER]
delete found=1

[ADMINISTRATEUR extends ADMIN]

[PAS ACCES extends NO ACCESS]
list=1