access control

A place for users and developers of the Xataface to discuss and receive support.

Postby shannah » Tue Nov 21, 2006 6:08 pm

Yes you are always able to make your own calls to whatever DB you want. The solution of switching dbs on the current database connection (suggested by Neil) would allow us to effectively change which database Dataface uses for all of its stuff.
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby compudude86 » Wed Nov 22, 2006 11:51 am

i dont want to do the subdomain thing as its way too much trouble, mostly for the users who are 40-somethings who just learned about the computer not too long ago. the way i see it is the app would simply "know" by the login name, what database and table they should be locked in. most likely by adding a field to the users database with what database and table they should be in, unless the app is locked to one database, im not sure.
compudude86
 
Posts: 59
Joined: Wed Dec 31, 1969 5:00 pm

Postby compudude86 » Wed Nov 22, 2006 11:56 am

sorry, i shouldve clarified, by users database i mean the one that stores the usernames and passwords. i was also thinking if there is a way to use the user management that mysql offers that might work too
compudude86
 
Posts: 59
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Wed Nov 22, 2006 12:24 pm

First.. this is very possible and not difficult for an PHP programmer to develop in under a couple of hours. However it is difficult for me to give you a full "how-to" here because the implementation will depend on a lot of factors such as:

1. Are all of the databases identical in schema, with just different data stored?
2. Is it possible that a user may need to use both databases?

My inclination (still dependent upon the answers to the above questions) would be to have separate applications for each database. Then develop a custom login page that takes the username and password and forwards them to the correct application upon login.

If you would like a hand with this project or would like anything implemented, please feel free to contact me about my consulting services.

Best regards

Steve
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby yusif » Wed Feb 07, 2007 11:59 am

Hi Steve,
This might be an old issue, but I just got into this problem. I really need a solution to the second case you specified i.e.
I want for different users, different tables to show first. Basically, I do not have the tabs in my setup. I use a link to access the tables. If a user logs in he should have access to the table meant for him to access not necessarily the first table in the conf.ini
Hope to here from you soon.
Regards
Yusif








Okay.. there are two issues to consider here.

>

1. Security - making sure that users cannot use the tables/records/fields that you don't want them to.

>2. Usability - making the applications flow work properly for the user at hand.



>On the security side of things, it is easy to "jail" a user. Simply define the getPermissions() methods on the three tables in such a way that the appropriate permissions are returned for each user. In your example above you would define the getPermissions() method for the A table as:



>


function getPermissions(&$record){

> $auth =& Dataface_AuthenticationTool::getInstance();

$user =& $auth->getLoggedInUser();

> / $user is a Dataface_Record encapsulating the currently logged in user.

>

// first let's deal with the case that the user is not logged in.

> if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();

if ( $user->val('userid') == 3 ) return Dataface_PermissionsTool::ALL();

>

// If i understand the specs correctly, then user 3 is the only one that can access table 'A' at all

> / so we revoke access to everyone else.

> return Dataface_PermissionsTool::NO_ACCESS();

}

>

[/code]

>

You would do similar things for the other tables to make sure that only authorized users can access them.

>

On the usability side, there are a number of things that you can do to tailor the application to your needs here.

>The permissions will help a lot, but you may end up with a situation where users see "Permission denied" alot. This is where you have to tell your application to be "smart".



>This is a fairly big topic that deserves a lot of space and discussion, but I'll begin by listing some of the more common hurdles:



>1. The table tabs at the top of the app show up the same for each user - what if you want some tables to be hidden for some users.

2. If no table is specified in the URL, then the user is always directed to the first table in the tables menu. What if you want this to depend on which user is logged in?

>3. The default action is 'list'. What if you want this to be different?

4. Some parts of the application may be confusing to some users, and are better hidden (e.g. how to hide the search box).

>



>There may be more issues but their solutions will be similar.



>Solutions:



>1. The table tabs, for performance reasons, are just statically generated.. they don't take into account any permissions. Of course if a user clicks on a table that he has no access to he'll receive a permission-denied error. So how do we get around this.

a. You could remove these tabs altogether. You can do this by defining a getPreferences() method in the Application's delegate class. This will return an associative array of preferences. see http://framework.weblite.ca/documentation/manual/delegate_classes for more on this.

> b. You could override this slot with your own tabs using the 'table_tabs' slot in the Application's delegate class.

e.g:

>


function block__table_tabs(){

> $auth =& Dataface_AuthenticationTool::getInstance();

$user =& $auth->getLoggedInUser();

> / ... now display table tabs depending on who is logged in.

>

}

>


>

.. more later.. i'm out of time for now....

>

Please let me know if there are particular aspects that you are more interested in so that I can target the response..

>

best regards

>

Steve

yusif
 
Posts: 28
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Wed Feb 07, 2007 1:34 pm

Hi Yusif,

You can specify which table is to be accessed by altering the query.Ê Do this in your index.php file sometime before you call $app->display()

eg.

if ( !isset($_REQUEST['-table']) ){

ÊÊÊ // Find out which table should be first based on who is logged in.. then set the value:

Ê Ê $query =& $app->getQuery();

Ê Ê $query['-table'] = 'mytable';

}


Something like that should work.


-SteveÊ

--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby yusif » Wed Feb 07, 2007 2:51 pm

Hi Steve,
I tried that but had this error

Fatal error: Undefined class name 'dataface_authenticationtool' in C:\Program Files\Apache Group\Apache2\htdocs\uwg\ePledge.php on line 8


my index.php looks like this


getLoggedInUser();
$rightTable = $user->val('Base');
$query =& $app->getQuery();
$query['-table'] = $rightTable;
}


$app->display();
?>

"Base" is a field in my users table which stores the table allowed to be viewed by the user.

-Yusif
yusif
 
Posts: 28
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Thu Feb 08, 2007 4:40 am

Evidently at that point in your app, the authentication tool class hasn't been loaded yet. So you can load it:
import('Dataface/AuthenticationTool.php');
--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby shannah » Thu Feb 08, 2007 11:03 am

Sorry.. this way won't work I realize because the user doesn't get authenticated until the call to $app->display().

Hence you have to put your code inside a method that will get called after authentication.

Here is what you need to do. Inside the getPreferences() method of the application delegate class, you can do your tests:

Code: Select all

function getPreferences(){
   $auth =& Dataface_AuthenticationTool::getInstance();
   $user =& $auth->getLoggedInUser();
   if ( $user ){
       $rightTable = $user->val('Base');
       $app =& Dataface_Application::getInstance();
       $query =& $app->getQuery();
       if ( $query['-table'] != $rightTable ){
            header('Location: '.$app->url('-table='.$rightTable));
            exit;

       }

   }
   return array();
}

--
Steve Hannah
@shannah78 (on twitter)
sjhannah.com blog
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: access control

Postby efren.serrano » Fri Apr 09, 2010 1:25 am

Hi Steven,

Thanks for share Xataface, is a great system to manage database.

I'm a newbbie learning how to build a multiuser system with xataface.
I was reading a lot of posts and learning with the wiki and samples in the web, but, in this point i don't know what is the better form to make that i want.

My case is this:

i have 4 roles with x users.
if my user don't have permissions to see the first table of the conf.ini file, i show one restricted notification "Permission to perform action 'list' denied" but i want to redirect and load the menu for this user, to access to all the tables that he can see.

If use the getPreferences method, only can see the 'Base' table.

¿What it's the better method to make this?

Thanks in advance
efren.serrano
 
Posts: 1
Joined: Thu Apr 08, 2010 10:07 am

Re: access control

Postby shannah » Fri Apr 09, 2010 6:48 am

Probably the best way to handle this would be to create a dashboard by way of making a common first table that everyone can see. There is a how-to in the wiki specifically showing how to do this.
You can override the table tabs with your own options using blocks and slots.
For permissions, don't need to do anything fancy. Just implement your getPermissions() methods (first in the application delegate class) to restrict access according to
your business rules.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Previous

Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 40 guests

Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved