Restrict records by user

A place for users and developers of the Xataface to discuss and receive support.

Restrict records by user

Postby scosno » Mon Feb 06, 2012 11:32 am

First. This tool is a lifesaver. Thank you Steve!

My issues is that I'm very thick-headed around understanding the ability to restrict viewing/editing records by user. What I'd like to do is allow an ADMIN to do everything and restrict other users to a set of data for their territory which is stored in the db. Can someone point me to a working example of setting a filter by username that I can tweak or play with. Thanks!
scosno
 
Posts: 5
Joined: Mon Feb 06, 2012 11:27 am

Re: Restrict records by user

Postby shannah » Mon Feb 06, 2012 11:59 am

Check out the section of the getting started guide on permissions. There are also a few other pages in the wiki that discuss permissions.

Best practice is to define very restrictive permissions in the application delegate class's getPermissions() method then permit permissions in the table delegate classes as required for your users. Probably you are ascribing ownership/access on particular records for users based on a field value in each table. You would just use an if/else statement to grant/deny access to a user based on that.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Restrict records by user

Postby Jean » Mon Feb 06, 2012 12:00 pm

You need to use roles, each role has permissions (permissions.ini)...
Begins here : http://xataface.com/wiki/authentication
Well you have all this in the wiki
Security

authentication - Overview of Xataface Authentication
registration form - Enabling User Registration in Xataface
permissions.ini file - Reference of the permissions.ini file directives.
Permissions - Use sessions and delegate classes to define permissions at the record and field level. (From the Getting Started tutorial).
Delegate class methods - Permissions-related functions
Relationship Permissions - Guide to permissions on related records.
How to disallow access to tables
site_with_backoffice - A site with a backoffice without obligation to log in
Security Filters - Use security filters to block users from seeing certain records.
How to granulate permissions on each field - Decide for each field who can edit, read...
no_access_text - Replace the default NO ACCESS permission text with another text.
LDAP or Active Directory - How to authenticate users with LDAP or Active Directory...

Jean
Jean
 
Posts: 259
Joined: Wed Nov 07, 2007 1:30 am
Location: Pau, France

Re: Restrict records by user

Postby scosno » Mon Feb 06, 2012 12:29 pm

I'm going to absorb all this info now. I think I went down a rat hole by looking at the example which was around getPreferences(). Thanks for the quick replies.
scosno
 
Posts: 5
Joined: Mon Feb 06, 2012 11:27 am

Re: Restrict records by user

Postby scosno » Mon Feb 06, 2012 2:02 pm

I took a crack at it but I'm not having any luck. I'm getting Permission denied and not seeing any records. The code is below. What I've tried to do is for non-admins restrict them to records with a value of 1 for the PRECINCT. 1 is an INT in the db. I'll check the user's precincts after I get this going.

Code: Select all
<?
class conf_ApplicationDelegate
{
   function getPermissions(&$record)
   {
      $auth =& Dataface_AuthenticationTool::getInstance();
      $user =& $auth->getLoggedInUser();

      //A user is not logged on
      if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
      
      //The user is logged on and ADMIN
      if ( $user->val('Role') == 'ADMIN' ) return Dataface_PermissionsTool::ALL();
      
      
      if (isset($record) )
      {
         if ($record->val('PRECINCT') == '1')
         {
            return Dataface_PermissionsTool::ALL();
         }
         return Dataface_PermissionsTool::NO_ACCESS();
      }
   }
}
?>
scosno
 
Posts: 5
Joined: Mon Feb 06, 2012 11:27 am

Re: Restrict records by user

Postby shannah » Mon Feb 06, 2012 2:30 pm

In your application delegate class you want very few permissions.
Code: Select all
function getPermissions($record){
   if ( isAdmin() ) return Dataface_PermissionsTool::ALL();
   return Dataface_PermissionsTool::NO_ACCESS();
}


And in a table delegate class:
Code: Select all
function getPermissions($record){
    if ( isAdmin() ) return null;  // just use defaults
    $user = getUser();
    if ( $user and $record and $user->val('user_id') == $record->val('owner_id') ){
        // This record is owned by the current user so we give him owner permissions
        return Dataface_PermissionsTool::getRolePermissions('CAR OWNER');
    } else if ( $user ){
        // If we aren't dealing with the record itself (i.e. record is null or record is someone elses)
        // Then we still probably want to give permission to list (but not view)
        return Dataface_PermissionsTool::getRolePermissions('CAR USER');
    }
    return null;  // default permissions otherwise
}



In your permissions.ini file you would define the two roles we used there:
Code: Select all
[CAR OWNER extends EDIT,DELETE]
   
[CAR USER extends NO ACCESS]
    list=1
    find=1


In the case of the table that you are filtering per user you may also want to define security filters so that records are cut off at the SQL query level (rather than after they are loaded into memory at the PHP level).

Note: isAdmin() and getUser() are not defined in Xataface. It is assumed that you have defined such wrapper functions around the Dataface_AuthenticationTool methods..... I just use them as short hand to save some typeing.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 10 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved