Restricting role permissions for some tables

A place for users and developers of the Xataface to discuss and receive support.

Restricting role permissions for some tables

Postby sworden » Wed Mar 28, 2012 5:31 am

I'm trying to restrict permissions for particular tables. For a few tables I want those with the EDIT role to only have READ-ONLY access. I tried various versions of extending permissions in a permissions.ini file in a particular table's folder but that did not work, I believe because I am actually restricting rather than extending. I tried this in that file as well:

[EDIT]
view = 1
edit = 0
new = 0

but nothing works. What am I missing?
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: Restricting role permissions for some tables

Postby shannah » Wed Mar 28, 2012 9:24 am

I can't tell much from the information you provided in this post. Permissions involve both the definition of permissions (in the permissions.ini file) and the assignment of those permissions to users (in the delegate classes). At first glance, though you probably don't want to be overriding the EDIT role with the one you provided here. Better to define your own role (which may extend the edit role), and then assign that role to users in your delegate class's getPermissions() or getRoles() method.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Restricting role permissions for some tables

Postby sworden » Wed Mar 28, 2012 10:54 am

OK. I've created a new role (COMMITTEE MEMBER) in my application's permissions.ini file. It is a copy of the READ ONLY role as defined in Xataface's permissions.ini file. I want to extend the role to essentially be an EDIT role for specific tables. I tried creating a permissions.ini file in the folder for a specific table:

#COMMITTEE MEMBER role is a copy of READ ONLY. It is extended for those tables where they have
#permission to edit data.
[COMMITTEE MEMBER extends COMMITTEE MEMBER]
edit = 1
add new related record = 1
add existing related record = 1
add new record = 1
remove related record = 1
reorder_related_records = 1
import = 1
translate = 1
new = 1
ajax_save = 1
ajax_form = 1
history = 1
edit_history = 1
copy = 1
update_set = 1
update_selected=1
select_rows = 1

but this seems to be ignored. What is the correct way to extend a role's permission for a particular table?
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: Restricting role permissions for some tables

Postby shannah » Wed Mar 28, 2012 11:13 am

You need to reference this role from your getPermissions() or getRoles() method in order to use it.

e.g.
Code: Select all
function getPermissions($record){
    return Dataface_PermissionsTool::getRolePermissions('COMMITTEE MEMBER');
}


Another note. If COMMITTEE MEMBER is just a copy of READ ONLY you could just define it as:
Code: Select all
[COMMITTEE MEMBER extends READ ONLY]


Then you don't need to define all of the permissions.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Restricting role permissions for some tables

Postby sworden » Wed Mar 28, 2012 11:28 am

I've got this is in my ApplicationDelegate.php:

function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
// if the user is null then nobody is logged in... no access.
// This will force a login prompt.
$role = $user->val('ROLE');
return Dataface_PermissionsTool::getRolePermissions($role);
// Returns all of the permissions for the user's current role.
}

and the role is being treated as read-only, so I assume it's working fine. The problem is extending the permission to essentially be an EDIT role for specific tables.

I'm sorry if I'm being a pain or not explaining things well. I'm new to PHP so I'm not always sure what is already known.
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: Restricting role permissions for some tables

Postby sworden » Wed Mar 28, 2012 12:53 pm

I found the solution in this forum: http://xataface.com/forum/viewtopic.php?t=5508#26475

I set the COMMITTEE MEMBERS role back to having the same permissions as the EDIT role. Then i used this:
cantlep wrote:I've accomplished it with this in the table delegate class for "Users"
Code: Select all
//Restrict Non-admin users to read only on the Users table
function getPermissions(){
    $auth =& Dataface_AuthenticationTool::getInstance();
    $user =& $auth->getLoggedInUser();
    if ( $user and  $user->val('Role') != 'ADMIN' ){
    return Dataface_PermissionsTool::READ_ONLY();
}
}


to restrict access to this table. I hope this helps someone else!

Stephanie
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: Restricting role permissions for some tables

Postby shannah » Wed Mar 28, 2012 1:15 pm

I notice that you're not using your COMMITTEE MEMBERS role at all here. No point defining it if you're just going to use READ ONLY anyways.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Restricting role permissions for some tables

Postby sworden » Thu Mar 29, 2012 7:28 am

True, I'm not using it to define any different permissions as I had initially thought I would, but the other two individuals with ADMIN privileges to this database are not as tech savvy so if I can make it easier for them to remember what roles individuals have using terms they're familiar with then it's worth it in the end.
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: Restricting role permissions for some tables

Postby shannah » Thu Mar 29, 2012 9:40 am

Not only are you not defining different positions, it doesn't look like you're even using those roles in your application at all (unless I'm missing something). I.e. you could delete those roles from your permissions.ini file and it wouldn't make a difference in your app the way you currently have things set up.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 5 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved