[SOLVED] passing on values of logged in users

[PolderBoy]

Hello All,

I have xataface installed and working but I need the logged in user and rights to check wheather he can see some other pages I have made.
I am using the function getPermissions(&$record) in my dashboard, but I am using ajax to do some other things and I need to check if the user has certain rights.

How can I get that information?
I could use a hidden field in the html file and then sent it to the server by some javascript and use it in my php files. Which show in an <Iframe>.

But how to fill the hidden field?

I have this in my dashboard file:

{use_macro file="Dataface_Main_Template.html"}
{fill_slot name="main_column"}

and at the bottom:

{/fill_slot}
{/use_macro}

Or some other solution.

Thanks in advance.
PolderBoy

[shannah]

Xataface's permission system allows you to specify your own custom permissions that you can grant or not grant using the getPermissions() method.

For any Dataface_Record object, you can call;

Code: Select all

$record->checkPermission('my permission')


which returns boolean to see if the user has the given permission on the specified record.

You should be able to use this as a basis for any type of access limits. I.e. use this information to conditionally show or hide a section - or to add or not add a class to certain page elements that you can refer to on client side.

(Access control should always have a server-side component though... don't just hide things from users and assume they won't find them anyways.. you need to have a secondary lockdown on the server side to close the door on requests that users shouldn't be allowed to make).

-Steve

[PolderBoy]

Dear Sir,

Thank you for the answer. But could you give me an example?
(not just the one line)

What I would like to have is a name or role so that I can check it myself (well the code) on the database.
I use an iframe because that can load a php file. Unlike the dashboard which has to be a html file.

Thanks in advance,
PolderBoy

[shannah]

Hmm... if you are using an internal frame to embed a completely different PHP script and you want that PHP script to be able to access permissions info, it could be a bit tricky since that script won't be running inside the Xataface context and won't have access to all of the business and permissions logic you have put into your application. There are certainly solutions but they would all be a little involved custom work that is likely beyond the scope of what can be done through a forum.

Why did you need to use the internal frame again? Why not just do it from a custom action?

-Steve

[PolderBoy]

Sorry Steve,
didn't get a mail that you responded.

The need for the iframe is that I need to do some ajax to do some reporting.
I have bought a reporting script which needs a xlm to make a flash graphic.

I am sure that xataface could do all this, but the problem is that I am stil not able to program in xataface.

So I would like to sent with the link an ID so that the php file like so:
file.php?ID=5
And then I will check what right with number 5 belongs to.

But how do I file the variable?

PolderBoy.

[shannah]

Either you need to modify your file.php file (the script that produces the internal frame) to figure out the permissions directly, or you need to pass this information as a GET parameter to the src of the iframe. Doing it inside the file.php directly is more secure because it prevents the user from being clever and guessing a URL to go directly to the report. However for this you would need to know who is the logged in user, the easiest way would be to access the session of the xataface app. However xataface uses a different session directory by default, so you would need to manually adjust your session_path in the file.php script to match the xataface session path.... this would require some digging as the xataface directory is dynamically generated as a subdirectory of the normal directory using a md5 has of the path to the xataface app as part of the path.

It would be easier to just pass this info in the GET parameters of the src attribute of the iframe, but like I said that isn't as secure.

_Steve

[PolderBoy]

Dear Steve,

The way with the session-path is the way to go.

I have worked with sessions in php before, so I know how to work with them.
And the roles in the xataface are made by me, so I know which role has what access.

The only thing now is which session name to use.
I am working on the program tomorrow. So I will be back.

I did sent you an email, Steve.
Did you not recieve it?
I will sent you a pm.

Thanks for the help,
PolderBoy

[PolderBoy]

Dear All,

I have found it:

Code: Select all

<?php
session_save_path("/var/lib/php5/ec40156a71851c1b50nl83535c48a643");
session_start();

   include("../conf.php");   
   include("include/Functies.php");

ConnectMySQL();

if(isset($_SESSION['UserName']))
{
   $strRechten = OphalenRechten($_SESSION['UserName']);
   $Rechten = explode("|", $strRechten);
} else {
   header( "Location:leeg.php" );
}



OphalenRechten() is a function which selects the logged-in user from the table: Users and returns the information.
Leeg.php is a file which echo's to the screen: You have no right to view this page.

Thanks Steve to putting me on the right track.

With regards,
PolderBoy