Xataface Forums

Hey guys,

I am editing the web auction for my own purposes. I am trying to get a new type of user within the software.

The difference between admin and edit will be which tables they can view. I found on this site how to hide tables by unloading them from the tables conf in getPreferences() but the thing is. I load the array to $tables and edit that but how does it have to go back into the conf?

Here is my code.

Code: Select all

    function getPermissions(&$record){
        $auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::READ_ONLY();
             // if the user is null then nobody is logged in... no access.
             // This will force a login prompt.
         $role = $user->val('role');
         return Dataface_PermissionsTool::getRolePermissions($role);
             // Returns all of the permissions for the user's current role.
      }
   
    }
   function block__custom_stylesheets(){
      echo '';
   }
   
   function block__after_application_menu(){
      
      $categories = $this->getCategoriesMenuOptions();
      df_display(array('categories'=>&$categories), 'categories_menu.html');
   
   }
   
   function block__before_main_column(){
      if ( isAdmin() ) {
         $sql = "select sum(bid_amount) from bids b where not exists ( select bid_id from bids b2 where b2.product_id=b.product_id and b2.bid_amount > b.bid_amount) and exists ( select product_id from products p where p.product_id=b.product_id)";
         $res = mysql_query($sql, df_db());
         list($amt) = mysql_fetch_row($res);
         echo "

Total Bids Currently: \$".number_format($amt,2).'

';
      }
   }
   
   function getCategoriesMenuOptions(){
      $sql = "select p.product_id, pc.category_id, pc.category_name, count(*) as num from products p inner join product_categories pc on p.product_categories rlike concat('[[:<:]]',pc.category_id,'[[:>:]]') group by pc.category_id";
      $res = mysql_query($sql, df_db());
      $out = array();
      while ( $row = mysql_fetch_assoc($res) ) $out[] = $row;
      return $out;
   
   }
   
   function getPreferences(){
      $app =& Dataface_Application::getInstance();
      $query =& $app->getQuery();
      $tables =& $app->_conf['_tables'];
      print_r($tables);
      $auth =& Dataface_AuthenticationTool::getInstance();
      if ( !isset($user) ) {
      return Dataface_PermissionsTool::NO_ACCESS();
      unset($tables['products']);
      }
           $user =& $auth->getLoggedInUser();
            $role = $user->val('role');
      if ( $query['-table'] == 'products' and !isset($query['-sort']) ){
         $query['-sort'] = 'product_categories asc';
      }
      if ( $role == "ADMIN" ){
         return array('show_record_tree'=>0);
      } elseif ( $role == "EDIT"){
         unset($tables['products']);
      }else{
         return array(
            'show_tables_menu'=>0,
            'show_table_tabs'=>0,
            'show_record_tree'=>0,
            'show_record_tabs'=>0,
            'show_result_controller'=>0);
      }   
      closeAuctions();   
   }

Anyone see where i went wrong?

function getPreferences(){
$app =& Dataface_Application::getInstance();
$query =& $app->getQuery();
$tables =& $app->_conf['_tables'];
print_r($tables);
$auth =& Dataface_AuthenticationTool::getInstance();
if ( !isset($user) ) {
return Dataface_PermissionsTool::NO_ACCESS();
unset($tables['products']);
}
$user =& $auth->getLoggedInUser();
$role = $user->val('role');
if ( $query['-table'] == 'products' and !isset($query['-sort']) ){
$query['-sort'] = 'product_categories asc';
}
if ( $role == "ADMIN" ){
return array('show_record_tree'=>0);
} elseif ( $role == "EDIT"){
unset($tables['products']);
}else{

Ok... a couple of things. This line:

if ( !isset($user) ) {
return Dataface_PermissionsTool::NO_ACCESS();
unset($tables['products']);
}

Won't be doing exactly what you expect. This is the getPreferences method, not the getPermissions method. Returning Dataface_PermissionsTool::NO_ACCESS() won't be recognized as permissions. This method will return an array of preferences rather than permissions... so strike that little section.

Second thing:

if ( $role == "ADMIN" ){
return array('show_record_tree'=>0);
} elseif ( $role == "EDIT"){
unset($tables['products']);
}else{
return array(
'show_tables_menu'=>0,
'show_table_tabs'=>0,
'show_record_tree'=>0,
'show_record_tabs'=>0,
'show_result_controller'=>0);
}

Note that for the EDIT role you aren't returning anything. This method must return an array of preferences. It can be empty, but it must be an array.

You may want to change it to something like:

Code: Select all

if ( $role == 'EDIT' ) unset($tables['products']);
if ( $role == "ADMIN" or $role == 'EDIT' ){
         return array('show_record_tree'=>0);
      }else{
         return array(
            'show_tables_menu'=>0,
            'show_table_tabs'=>0,
            'show_record_tree'=>0,
            'show_record_tabs'=>0,
            'show_result_controller'=>0);
      }   


The other thing that should be noted here, is that removing 'products' from the tables menu doesn't actually affect permissions. It only hides the 'products' tab from the user. If the user were to manually ener ?-table=products in the url he could still access the products.

Permissions are handled by the getPermissions() method. If you want to deny users with the EDIT role access to the products table, then you would probably want to add a getPermissions() method to the products delegate class and limit access there.

-Steve

Oh ok thank you. So to deny access i would have to put something like this?

Code: Select all

getPermissions(){
$auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
         $role = $user->val('Role');
         if($role =='EDIT') return Dataface_PermissionsTool::NO_ACCESS();
}