search index permissions
Posted: Wed Nov 09, 2011 11:37 am
The global search (top right corner search) results seem to be ignoring permissions and showing things based on the permissions of the person who rebuilt the index rather than the person who is doing the search. (Since my update from 1.2.5 to 1.3.x)
Access to the actual tables follows the permissions correctly... its just the global search index that is giving me problems.
Here is my permissions set up:
permissions.ini
finances.php (access to the finances table, which is indexed, should only be for those with a FINANCE role)
If I rebuild the index from a user logged in the MANAGER role, it shows NO ACCESS, NO ACCESS for the "fincances" tab of the global search results... (for any user)
If I rebuild the index from a user logged in with the FINANCE role, it shows all the finances data in the "fincances" tab of the global search results... (for any user!!! - I want to limit that to only users with the FINANCE role)
Permissions are checked in the ApplicationDelegate.php
Thanks!
Access to the actual tables follows the permissions correctly... its just the global search index that is giving me problems.
Here is my permissions set up:
permissions.ini
- Code: Select all
[STAFF extends OWNER]
[FINANCE extends STAFF]
manage_build_index=1
manage_output_cache=1
finances.php (access to the finances table, which is indexed, should only be for those with a FINANCE role)
- Code: Select all
function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
// $user is a Dataface_Record encapsulating the currently logged in user.
// first let's deal with the case that the user is not logged in.
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
if ( $user->val('Role') == 'FINANCE' ) return Dataface_PermissionsTool::ALL();
return Dataface_PermissionsTool::NO_ACCESS();
}
If I rebuild the index from a user logged in the MANAGER role, it shows NO ACCESS, NO ACCESS for the "fincances" tab of the global search results... (for any user)
If I rebuild the index from a user logged in with the FINANCE role, it shows all the finances data in the "fincances" tab of the global search results... (for any user!!! - I want to limit that to only users with the FINANCE role)
Permissions are checked in the ApplicationDelegate.php
- Code: Select all
function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
// if the user is null then nobody is logged in... no access.
// This will force a login prompt.
if ($user->val('Role')<>'')
$role = $user->val('Role');
else
$role = 'READ ONLY';
return Dataface_PermissionsTool::getRolePermissions($role);
// Returns all of the permissions for the user's current role.
}
Thanks!