Page 1 of 1

Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 5:31 am
by sworden
I'm trying to restrict permissions for particular tables. For a few tables I want those with the EDIT role to only have READ-ONLY access. I tried various versions of extending permissions in a permissions.ini file in a particular table's folder but that did not work, I believe because I am actually restricting rather than extending. I tried this in that file as well:

[EDIT]
view = 1
edit = 0
new = 0

but nothing works. What am I missing?

Re: Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 9:24 am
by shannah
I can't tell much from the information you provided in this post. Permissions involve both the definition of permissions (in the permissions.ini file) and the assignment of those permissions to users (in the delegate classes). At first glance, though you probably don't want to be overriding the EDIT role with the one you provided here. Better to define your own role (which may extend the edit role), and then assign that role to users in your delegate class's getPermissions() or getRoles() method.

-Steve

Re: Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 10:54 am
by sworden
OK. I've created a new role (COMMITTEE MEMBER) in my application's permissions.ini file. It is a copy of the READ ONLY role as defined in Xataface's permissions.ini file. I want to extend the role to essentially be an EDIT role for specific tables. I tried creating a permissions.ini file in the folder for a specific table:

#COMMITTEE MEMBER role is a copy of READ ONLY. It is extended for those tables where they have
#permission to edit data.
[COMMITTEE MEMBER extends COMMITTEE MEMBER]
edit = 1
add new related record = 1
add existing related record = 1
add new record = 1
remove related record = 1
reorder_related_records = 1
import = 1
translate = 1
new = 1
ajax_save = 1
ajax_form = 1
history = 1
edit_history = 1
copy = 1
update_set = 1
update_selected=1
select_rows = 1

but this seems to be ignored. What is the correct way to extend a role's permission for a particular table?

Re: Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 11:13 am
by shannah
You need to reference this role from your getPermissions() or getRoles() method in order to use it.

e.g.
Code: Select all
function getPermissions($record){
    return Dataface_PermissionsTool::getRolePermissions('COMMITTEE MEMBER');
}


Another note. If COMMITTEE MEMBER is just a copy of READ ONLY you could just define it as:
Code: Select all
[COMMITTEE MEMBER extends READ ONLY]


Then you don't need to define all of the permissions.

-Steve

Re: Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 11:28 am
by sworden
I've got this is in my ApplicationDelegate.php:

function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
// if the user is null then nobody is logged in... no access.
// This will force a login prompt.
$role = $user->val('ROLE');
return Dataface_PermissionsTool::getRolePermissions($role);
// Returns all of the permissions for the user's current role.
}

and the role is being treated as read-only, so I assume it's working fine. The problem is extending the permission to essentially be an EDIT role for specific tables.

I'm sorry if I'm being a pain or not explaining things well. I'm new to PHP so I'm not always sure what is already known.

Re: Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 12:53 pm
by sworden
I found the solution in this forum: http://xataface.com/forum/viewtopic.php?t=5508#26475

I set the COMMITTEE MEMBERS role back to having the same permissions as the EDIT role. Then i used this:
cantlep wrote:I've accomplished it with this in the table delegate class for "Users"
Code: Select all
//Restrict Non-admin users to read only on the Users table
function getPermissions(){
    $auth =& Dataface_AuthenticationTool::getInstance();
    $user =& $auth->getLoggedInUser();
    if ( $user and  $user->val('Role') != 'ADMIN' ){
    return Dataface_PermissionsTool::READ_ONLY();
}
}


to restrict access to this table. I hope this helps someone else!

Stephanie

Re: Restricting role permissions for some tables

PostPosted: Wed Mar 28, 2012 1:15 pm
by shannah
I notice that you're not using your COMMITTEE MEMBERS role at all here. No point defining it if you're just going to use READ ONLY anyways.

Re: Restricting role permissions for some tables

PostPosted: Thu Mar 29, 2012 7:28 am
by sworden
True, I'm not using it to define any different permissions as I had initially thought I would, but the other two individuals with ADMIN privileges to this database are not as tech savvy so if I can make it easier for them to remember what roles individuals have using terms they're familiar with then it's worth it in the end.

Re: Restricting role permissions for some tables

PostPosted: Thu Mar 29, 2012 9:40 am
by shannah
Not only are you not defining different positions, it doesn't look like you're even using those roles in your application at all (unless I'm missing something). I.e. you could delete those roles from your permissions.ini file and it wouldn't make a difference in your app the way you currently have things set up.

-Steve