Page 1 of 1

How to set permissions at the table level

PostPosted: Thu Jan 05, 2012 8:59 pm
by rleyba
Hi Steve,

I have implemented authentication and permissions in my application and everything is working as it should. The ROLES are simple, an Admin user which has all rights, and a NORMAL user which has READ ONLY access to all tables.

I have a requirement wherein I need a third user which has ADMIN rights to only ONE of the tables but READ ONLY for all the rest.

My Application Delegate Class looks like this.

Code: Select all
<?
/**
* A delegate class for the entire application to handle custom handling of
* some functions such as permissions and preferences.
*/
class conf_ApplicationDelegate {
    /**
     * Returns permissions array.  This method is called every time an action is
     * performed to make sure that the user has permission to perform the action.
     * @param record A Dataface_Record object (may be null) against which we check
     *               permissions.
     * @see Dataface_PermissionsTool
     * @see Dataface_AuthenticationTool
     */
     function getPermissions(&$record){
         $auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
             // if the user is null then nobody is logged in... no access.
             // This will force a login prompt.
         $role = $user->val('Role');
         return Dataface_PermissionsTool::getRolePermissions($role);
             // Returns all of the permissions for the user's current role.
      }
}
?>


The table delegate class of the table that the power user is to have admin rights to looks like this:

Code: Select all
<?

class tables_Assignments {


  function getPermissions(&$record){
    $auth=&Dataface_AuthenticationTool::getInstance();
    $user=&$auth->getLoggedInUser();

   if ( $user->val('UserName') == 'MrKim' ){
        return Dataface_PermissionsTool::getRolePermissions('ADMIN');
    } else {
        return Dataface_PermissionsTool::getRolePermissions('READ ONLY');
           }

   }

}

?>


I don't have any table delegate classes defined in any other table as I would like the application delegate to have the default permissions/roles in the other tables. My observation is that once the MrKim user logs in and selects other tables he gets READ ONLY access privileges which is well and good. Once he selects the "Assignments" table tab, the table's getpermissions function kicks in and he becomes ADMIN for the table, which is just what I wanted. The issue is once he then selects other tabs, he retains this ADMIN privileges everywhere. How do I restrict him to be ADMIN only in the "Assignments" table and then be READ ONLY everywhere else?

Thanks and regards.

Re: How to set permissions at the table level

PostPosted: Fri Jan 06, 2012 12:54 am
by Jean
Hi,

It is easy to set up, you just have to put a permissions.ini file in each table directory with this kind of code :

Code: Select all
[REFERENT extends OWNER]
    view=1
    edit=0
    delete=0
[VISITEUR extends READ ONLY]
view=1


Use generic roles or your own roles.

Cheers

Jean

Re: How to set permissions at the table level

PostPosted: Tue Jan 10, 2012 10:52 pm
by rleyba
Hi Jean,

Sorry for the late reply. Thanks very much for your info. I have created the role in my USER table and called the role LAN. I have created a user David and assigned him this LAN role.

I have created a permissions.ini file in my LAN table directory and the contents of that file is

[LAN extends ADMIN]

However, when i log in to the application using the user "David" (whose role is LAN) or any other user, I get the message:

Fatal error: The role 'LAN' is not a registered role. in /var/www/html/xataface-1.2.6/Dataface/PermissionsTool.php on line 354

Once I edit the USER table and remove this role, then everything works fine again.

Is there another place where I should create the LAN role, aside from the USERS table?

Thanks and regards,

Re: How to set permissions at the table level

PostPosted: Tue Jan 10, 2012 11:12 pm
by rleyba
...also...my ApplicationDelegate.php file looks like this:

Code: Select all
[root@integra conf]# cat ApplicationDelegate.php
<?
/**
* A delegate class for the entire application to handle custom handling of
* some functions such as permissions and preferences.
*/
class conf_ApplicationDelegate {
    /**
     * Returns permissions array.  This method is called every time an action is
     * performed to make sure that the user has permission to perform the action.
     * @param record A Dataface_Record object (may be null) against which we check
     *               permissions.
     * @see Dataface_PermissionsTool
     * @see Dataface_AuthenticationTool
     */
     function getPermissions(&$record){
         $auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
             // if the user is null then nobody is logged in... no access.
             // This will force a login prompt.
         $role = $user->val('Role');
         return Dataface_PermissionsTool::getRolePermissions($role);
             // Returns all of the permissions for the user's current role.
      }
}
?>

[root@integra conf]#


I am not sure at what stage Xataface reloads the USER table to tell the application that a new ROLE has been defined.

Thanks again.

Re: How to set permissions at the table level

PostPosted: Wed Jan 11, 2012 2:05 pm
by shannah
Any roles that are assigned via the ApplicationDelegate class should be defined in the global permissions.ini file. The table permissions.ini files are only loaded if the user is viewing that table or a record of that table is loaded.

Alternatively you could reference this role in the table's delegate class's getPermissions() method. This would ensure that the table's permissions.ini file would have been loaded.

Re: How to set permissions at the table level

PostPosted: Wed Jan 11, 2012 5:06 pm
by rleyba
Thanks Steve....understood. I created a global permissions.ini file and defined the new role there and it is working now.