Xataface Forums

Put a face on your database
http://xataface.com/forum/

Related record permissions problems

http://xataface.com/forum/viewtopic.php?f=4&t=5718

Page 1 of 1

Related record permissions problems

PostPosted: Wed Jan 26, 2011 12:10 am
by ururk
Let's say I have three tables - people, cars, houses

cars & houses are defined as having a relationship with people (eg, people can have multiple cars, houses) in people/relationships.ini

OWNERS in the system have access to people, cars, but should not have access to houses
ADMINS should have access to all tables

So... I have a table class defined on houses:

Code: Select all
function getPermissions(&$record){
      if ($this->isAdmin()) {
         return Dataface_PermissionsTool::getRolePermissions('ADMIN');
      }
      
      return Dataface_PermissionsTool::NO_ACCESS();
   }


If I go to the URL (as an OWNER):

Code: Select all
?-table=houses


I get a permission denied error (correct).

But If I look at a person record, I see a tab for houses, and clicking on the tab allows me to add a related record to the table.

So... is this expected? What could I be doing wrong?

Thanks!

Re: Related record permissions problems

PostPosted: Wed Jan 26, 2011 12:24 am
by shannah
The houses relationship will be dictated by the permissions on the person table. There are a number of permissions pertaining to relationships . Eg. Add new , add existing, view related, etc... See the permissions.ini file for a list. You can override per relationship too.

Re: Related record permissions problems

PostPosted: Wed Jan 26, 2011 12:44 am
by ururk
shannah wrote:The houses relationship will be dictated by the permissions on the person table. There are a number of permissions pertaining to relationships . Eg. Add new , add existing, view related, etc... See the permissions.ini file for a list. You can override per relationship too.

Got it:

permissions.ini:

Code: Select all
access_houses = Access to house information

[OWNER extends OWNER]
   access_houses=0


And in relationships.ini:

Code: Select all
[houses]
action:label="Houses"
action:permission=access_houses
house.ID = "$ID"

Re: Related record permissions problems

PostPosted: Wed Jan 26, 2011 12:51 am
by shannah
This will hide the tab but it doesn't cut off the ability to add or remove records from this relationship if the know the urls to access the appropriate forms. You need to revoke the relationship permissions. Check out the xataface permissions.ini file to see which permissions I'm talking about.

Re: Related record permissions problems

PostPosted: Wed Jan 26, 2011 12:27 pm
by shannah
I have added some documentation on relationship permissions to the wiki.
http://xataface.com/wiki/Relationship_Permissions

Hopefully this helps a little.
All times are UTC - 7 hours
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/