Xataface Forums

Hi Steve,

I keep finding nasty things...
When I click on the "My Profile" link I keep getting this info:
"Permission denied because this table has been disallowed in the conf.ini file".

The thing is that I included the users table in the conf.ini to be able to see it, but my guess is that using a table as permission table locks it somehow?

The problem is that nobody can even change their passwords and as Super-Admin I can't see all registered users. Is there any smart way to solve that?

Thanks

What is the name of your users table?

"dataface__users", so that it matches the other df-tables schema...

Ok that's why. Xataface has a security mechanism built in to prevent access to tables that start with dataface__. You can override this with the [_allowed_tables] section in your conf.ini file.

See http://xataface.com/documentation/how-t ... low_tables

In your case you would do

Code: Select all

[_allowed_tables]
rule1=dataface__users


Hi Steve,

After your question I immediately tried to rename the table and it worked
But I will use your "workaround" and it will work just fine.

Another related question: I don't want the regular users to change their role, but as Admin I want to be able to do that. I am sure you already have a great piece of code/advice for doing that...

Xataface gives you fine grained permissions over individual fields by way of the permissions__fieldname() methods.

e.g.

Code: Select all

function permissions__role(&$record){
    if ( !isAdmin() ) return array('edit'=>0,'new'=>0);
    return null;
}


This snippet assumes that you have defined a function somewhere that tells whether the current user is an admin (isAdmin()).

If the user is not an admin it returns an array that says that the user cannot edit this field - nor can they edit it on the new form.

For admin users this returns null, meaning just use the default permissions (as defined in the getPermissions() method or elsewhere.

-Steve

works great, thanks a lot!