Security? List by default? Relational display?

A place for users and developers of the Xataface to discuss and receive support.

Postby walterbyrd » Fri Apr 07, 2006 8:37 am

Does dataface have any kind of security features? For example, can I develop a application which displays a table, but does not allow editing? Can I disallow editing by field? Can I disallow editing by user? Can I disallow editing by feature - for example, allow somebody to insert a record, but not delete?

Also, on the demo site, the detail view is always shown by default. Can I change this so that the list view is shown by default?

I have been looking at application generators. Some, like AppGini and PHPMagic, use the term "relational" loosly. Neither of those generators allow me display a veiw of two joined tables. Would I be able to create such a display with dataface?

Thank you.
walterbyrd
 
Posts: 56
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Fri Apr 07, 2006 10:13 am

>Does dataface have any kind of security features

Yes. I have not documented these yet because the new version (0.6) which is in the works will be reworking this. The current version allows you to define permissions using delegate classes.

Define the method getPermissions(), or __permissions() (where is the name of the field) as follows:
Code: Select all
require_once 'Dataface/PermissionsTool.php';
/**
* Delegate class for the Profiles table.
*/
class tables_Profiles {


/**
* Returns an array of permissions allowed on the given record.
* @param $record Dataface_Record object on which the permissions are being granted.
* @return Array of permissions granted.
*/
function getPermissions(&$record){
    if ( $_SESSION['Username'] == $record->strval('Username') ) return Dataface_PermissionsTool::ALL();
    else return Dataface_PermissionsTool::READ_ONLY();
}

/**
* Sets the permissions on the PhoneNumber field.
* @param $record Dataface_Record object on which the permissions are being granted.
* @return Array of permissions granted.
*/
function PhoneNumber__permissions(&$record){
    if ( $_SESSION['UserLevel'] == 'reviewer' ){
        // Reviewers can read the phone number field but not edit it
        return Dataface_PermissionsTool::READ_ONLY();
    } else if ( $_SESSION['Username'] == $record->strval('Username') or $_SESSION['UserLevel'] == 'admin'){
        // The Profile's owner and administrators can read and edit the phone number field.
        return Dataface_PermissionsTool::ALL();
    } else {
        // Others cannot read or edit the phone number field.
        return array();
    }
}

}

** Note that in the above example the $_SESSION['...'] vars are not Dataface specific. It is assumed that you have done your own session handling to see who is logged in etc...

The new coming release of Dataface will include authentication support and much better permissions support. Currently there are only "View", "Edit", and "Delete" permissions. The new version will provide much more fine-grained permissions.

Note also, that the permissions have not been tested as fully as the rest of the system in the current version since they aren't "Officially" available. They are being used on a few production systems here but there may be some finer points that haven't been explored (for example, I can't recall, off the top of my head, whether table listings respect the "no read" permission.

*** Also note that the current version uses what I call "optimistic" permissions. Meaning that if you don't explicitly define permissions on a table, then ALL permissions are granted. The new version will allow you to turn on "pessimistic" permissions so that you have to explicitly grant access for the permission to be allowed.

--------------------------

>Can I change this so that the list view is shown by default?

Yes. Check out http://framework.weblite.ca/documentation/how-to/change_default_action for a current solution. The new version of dataface will allow you to set a default action in the conf.ini file.

-------------------------

>Neither of those generators allow me display a veiw of two joined tables.
>Would I be able to create such a display with dataface?

Right now you would be able to do this by way of relationships. You can define a relationship to be the results of any SQL query. A future version (maybe the next one or the one after that) will allow surogate views which will allow you to do this without having to "fake" a relationship. Also in the new version there will be a much more powerful custom actions and templating framework that will allow you to generate arbitrary views very easily. Stay tuned..


Thanks for your interest.
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 24 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved