List view lacks columns after access control

A place for users and developers of the Xataface to discuss and receive support.

List view lacks columns after access control

Postby lhat » Fri Apr 16, 2010 11:38 pm

Hi, All!

I'm trying to control access to records in a table (called 'tablename' here just as a placeholder) based on the logged-in userid, where each record has a Teacher_ID (users enter this Teacher_ID as their UserName to log in).

I've set up general permissions.ini so logging in works well with the roles defined in my app's User table. Following the docs, I've created my tablename.php Delegate Class in /tables/tablename/.

My DelegateClass.php looks like this :

Code: Select all
<?
class tables_tablename {
function getPermissions(&$record){
    $auth =& Dataface_AuthenticationTool::getInstance();
    $user =& $auth->getLoggedInUser();
    if ( $record and $user and $record->val('Teacher_ID') == $user->val('UserName') ){
        return Dataface_PermissionsTool::ALL();
    }
        return Dataface_PermissionsTool::NO_ACCESS();
}
}
?>


This properly presents the XF login screen, accepts the username/password from the Users table and logs in the user, and then tries to present the initial list view of the table.

But the list view lacks nearly all its columns!

Except for the Ajax pop-up "+" on the left, none of the data columns are visible: no header row, no corresponding data in the columns.

The records selected for the list view are properly selected, and I can see this by clicking on the individual pop-up + signs, which are listed in their column, row by row.

I'm well confounded and figure I must be missing something obvious--any help would be most greatly appreciated!

Thanks for your time.
lhat
 
Posts: 40
Joined: Thu Aug 06, 2009 3:31 pm

Re: List view lacks columns after access control

Postby Jean » Mon Apr 19, 2010 12:28 am

Hi,
What is your error message ?
Have in index.php
Code: Select all
ini_set('display_errors', 'on');
error_reporting(E_ALL);

and in conf.ini
Code: Select all
debug=1


Jean
Jean
 
Posts: 259
Joined: Wed Nov 07, 2007 1:30 am
Location: Pau, France

Re: List view lacks columns after access control

Postby lhat » Mon Apr 19, 2010 11:10 am

Thanks for your reply, Jean--But alas, there seems to be no error message: debug=1 provides me the listing of the various smarty-php blocks on each page presented, but no errors. I guess this implies that I'm wrestling with a permissions problem, since XF thinks other things are in order.

For this app's permissions.ini I've just copied the base permission.ini file in, added the role 'TEACHER' at the bottom, and turning off updating to a selected set to limit the damage potential, like so:

Code: Select all
[TEACHER extends EDIT]
update_selected=0


But I'm still getting only the pop-up + signs.

I then tried reversing the condition in the access clause in the table's Delegate Class, like so:
Code: Select all
<?
class tables_OR_StudentBehaviorSurv {
    function getPermissions(&$record){
   $auth =& Dataface_AuthenticationTool::getInstance();
   $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
    if ( $record and $user and $record->val('Teacher') !== $user->val('UserName') ) {
   return Dataface_PermissionsTool::NO_ACCESS();
    }
        return Dataface_PermissionsTool::ALL();
}
}
?>

So the condition becomes 'unless the logged-in user matches a record in the Users table', then no-access, else full access. This seems illogical, since it would seem to leave the table open to any logged in user, but instead it gets me the full listing of columns limited to the records with the logged-in Teacher_ID--

At least, it does for one user (co-incidentally UserName 50). If I log out and try any other UserName/pw, I do get an error msg: "Permission to perform action 'list' denied. Requires permission 'list' but only granted ''; but this doesn't seem to be right, since the other UserNames are in Users and in tablename, the passwords match, and the permission listing in Users is TEACHER.

Does this lend any more light?
lhat
 
Posts: 40
Joined: Thu Aug 06, 2009 3:31 pm

Re: List view lacks columns after access control

Postby shannah » Tue May 04, 2010 9:07 am

The problem is that in list view it is checking the permission on the first record of the set the way you have your permissions set up. Make sure that you always include the 'list' permission.

e.g.
Code: Select all
function getPermissions(&$record){
   $auth =& Dataface_AuthenticationTool::getInstance();
   $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
    if ( $record and $user and $record->val('Teacher') !== $user->val('UserName') ) {
   return Dataface_PermissionsTool::NO_ACCESS();
    }
        $perms =  Dataface_PermissionsTool::ALL();
        $perms['list'] = 1;
        return $perms;
}
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: List view lacks columns after access control

Postby lhat » Wed May 05, 2010 1:40 pm

HI, Steve--

Many thanks for your help. Alas, I'm still getting the same permission denied error after changing my table's delegateclass.php to match your code snippet (see below--I shifted username to Teacher_ID in my users table, so folks will give this number and their password to log in).

I'll bet that this comes from my not understanding what you mean by "in list view it is checking the permission on the first record of the set the way you have your permissions set up"--should I have the perms set up differently to allow it to check all the records in the set? (As you'll recall, I'm trying to limit access to just those records where the Teacher_ID matches the logged-in username.)

My conf.ini has

[_auth]
users_table = Users
username_column = Teacher_ID
password_column = Password

The whole of my table's delegate class file (tablename.php) now looks like so:

Code: Select all
<?
class tables_OR_StudentBehaviorSurv {
function getPermissions(&$record){
       $auth =& Dataface_AuthenticationTool::getInstance();
       $user =& $auth->getLoggedInUser();
   if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
   if ( $record and $user and $record->val('Teacher_ID') !== $user->val('Teacher_ID') ){
            return Dataface_PermissionsTool::NO_ACCESS();
   }
            return Dataface_PermissionsTool::ALL();
            $perms['list'] = 1;
            return $perms;
    }
}
?>


Your help is very much appreciated!
lhat
 
Posts: 40
Joined: Thu Aug 06, 2009 3:31 pm

Re: List view lacks columns after access control

Postby shannah » Wed May 05, 2010 4:53 pm

Sorry.. my snippet had a typo. I added the 'list' permission to users that already had the ALL permission. Really it needed to be added to the users that got no permissions:
In general you want the default to be restrictive permissions... so i would lay it out like this:

Code: Select all
function getPermissions($record){
    $user = getUser();
    if ( $user and $record and $user->val('Teacher_ID') == $record->val('Teacher_ID') ){
        return Dataface_PermissionsTool::ALL();
    }
    $perms = Dataface_PermissionsTool::NO_ACCESS();
    $perms['list'] = 1;
    return $perms;
}


(The getUser() method doesn't exist... you would have to create it to get the currently logged in user record)

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: List view lacks columns after access control

Postby lhat » Wed May 12, 2010 10:17 am

Hi, Steve--

Thanks so much for the wonderful help--I've now got the permissions and application delegate class set per your guidance so that the only records visibly returned are those that match the teacher's login userid.

But then a different issue has emerged: in my datatable of over 1500 records, any given teacher will have but 20-40 matches, fitting the students in his/her class(es). Unfortunately, the initial listview doesn't return all these on the first page, but instead sprinkles the records on subsequent pages of the listview display.

I figured this must be due to the default records per page being set to 50--so the initial query returns all records and then the delegate class cuts that down to just those that match the login userid; but since these records fall into various 'pages' they don't show up in that first listing.

Following that reasoning, I was able to find the code snippet for my app's index.php file to increase the default page limit for this app to exceed the total number of records in the table, and now the initial result is all on one page, as expected:
Code: Select all
if ( !isset( $_REQUEST['-limit']) ){
    $_REQUEST['-limit'] = 1300;                   
        $_GET['-limit'] = 1300;                   
          }

While this works well for the case at hand -- [yea!] -- I wonder if this code could be put into the table's delegate class.php instead, in order to apply this behavior only to the table in question, rather than the whole app?

Many thanks!
lhat
 
Posts: 40
Joined: Thu Aug 06, 2009 3:31 pm

Re: List view lacks columns after access control

Postby shannah » Wed May 12, 2010 10:37 am

To solve this, you should also implement a security filter. This is a filter that is applied to all queries in the given request. In this case your filter should filter the table to only return records matching the given teacher id. You would do this in the init() method of your table's delegate class as follows:

Code: Select all
function init(&$table){
    $teacherID = getCurrentTeacherID();  // i..e you first get the teacher id of the currently logged in user.
    $table->setSecurityFilter(array('TeacherID'=>'='.$teacherID));
}
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: List view lacks columns after access control

Postby lhat » Thu May 13, 2010 3:26 pm

Steve--

Perfect! Just what I needed: thanks a million.
lhat
 
Posts: 40
Joined: Thu Aug 06, 2009 3:31 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 1 guest

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved