Preventing Users able to change their Role in My Profile

[msergent]

I am sure I am doing something wrong, however it seems that unless I limit my users to READ ONLY access versus EDIT or DELETE they can modify their profile and change their Role to what ever they want. I only want users that are in the ADMIN Role only to be able to change user roles.

P.S. I have been using Xataface for a week now and I am amazed with the application. Still a lot to learn but it is a great application. Thank you for creating it.

[shannah]

This is where you would want to define permissions on your 'role' field.

E.g:

Code: Select all

function role__permissions(&$record){
    if (!isAdmin() ) return array('edit'=>0);
   return null;
}


What this does is overrides the permissions on the role field to ensure that anyone who is not an admin cannot edit the field. Otherwise this just returns null meaning that Xataface will use the permissions defined for the whole record on this field.

-Steve

[msergent]

Steve,

I added this to the Users.php file which now looks like:

Code: Select all

<?
function role__permissions(&$record){
    if (!isAdmin() ) return array('edit'=>0);
    return null;
}

class tables_Users {
        function getTitle(&$record){
                return $record->val('UserName').(' UserName');
        }
}
?>


Is this correct? I think I must be doing something wrong because I still have the same problem.

[shannah]

The role__permissions() method goes inside the delegate class. You currently have it outside the class.

-Steve

[mikewassil]

Whoaa! I just read this post and this is a potential security hole big enough to drive a truck through!

No one, except the admin, should be able to see anyone else's profile settings, let alone edit them. If I log into my little demo site as Joe User I can see not only my profile but the admin profile in it's entirety. This should not be able to happen. No one should be able to see the admin's login name, role or anything else about admin.

I just added this little bit of code from another post about your auction app to /tables/users/users.php:

Code: Select all

function getPermissions(&$record){
    /*
        $app =& Dataface_Application::getInstance();
        $del =& $app->getDelegate();
        $perms =& $del->getPermissions($record);
    */
        //if ( $record ) echo "Yes"; else echo "No";
        //if ( $record and $record->val('username') ) echo "We have a username";
        if ( isAdmin()) {
            $perms = Dataface_PermissionsTool::ALL();
        } else {
            $perms = Dataface_PermissionsTool::READ_ONLY();
        }
        $perms['new'] = 1;
        return $perms;
    }


Doesn't seem to have any affect. I even tried changing READ_ONLY to NO_ACCESS but Joe User can still see all the other profiles. How can I turn this off? I don't need or want anyone editing any profiles. I don't even want such an item anywhere near my application.

[shannah]

potential security hole big enough to drive a truck through!

That's a little dramatic.

No one, except the admin, should be able to see anyone else's profile settings

That's up to the person who develops the system. For example in Facebook, all of my friends can see my profile.

If I log into my little demo site as Joe User I can see not only my profile but the admin profile in it's entirety. This should not be able to happen. No one should be able to see the admin's login name, role or anything else about admin.

I agree. Security is important. That's why it is up to you as the developer of the application to set appropriate permissions for your application.

I don't need or want anyone editing any profiles.

Then don't give edit privileges to the users table to anyone. It's quite simple:

Code: Select all

function getPermissions(&$record){
    return Dataface_PermissionsTool::NO_ACCESS();
}


I assume you're using the best practice of setting very restrictive permissions via the application delegate class and then opening up permissions on a per table basis via their respective delegate classes.

Security is very important! Xataface provides you with the tools to lock down your application with quite fine-grained precision. It's up to you to make sure you do this.

-Steve

[msergent]

Steve, thank you for your time, I added the code as follows:

Code: Select all

<?
class tables_Users {
        function role__permissions(&$record){
                if (!isAdmin() ) return array('edit'=>0);
                return null;
        }
        function getTitle(&$record){
                return $record->val('UserName').' User';
        }
}
?>


However I now receive the following error:

Fatal error: Call to undefined function isAdmin() in /var/www/CiscoDevices/tables/Users/Users.php on line 4

I did a grep for isAdmin() in the Dataface directory but came up with nothing. Am I missing something here?

[shannah]

There is no isAdmin() function. This was just shorthand since every application may have a different way of determining who is an admin and who isn't.

Generally I'll create a library with useful functions for my application and include it in the index.php file. One such function that I'll usually implement is isAdmin().

if might look something like:

Code: Select all

function isAdmin(){
    $auth =& Dataface_AuthenticationTool::getInstance();
    $user =& $auth->getLoggedInUser();
    if ( $user and $user->val('role') == 'ADMIN')  return true;
    return false;
}


-Steve

[msergent]

Steve,

Thank you for the support and explanation. I was able to get it working for the most part. Now people can update their info except for their role which will work for now. At least it is secure now and users are not able to change their role.