You are here: Dataface :: Forum

Security filters

A place for users and developers of the Xataface to discuss and receive support.
Post a reply

Security filters

Postby Mourice » Wed Jul 25, 2012 1:44 pm

Hey there again,

once more I have a problem. The security filter is not working properly. I implemented the code from here: http://xataface.com/documentation/how-to/security_filters but the Users set as OWNERS still can do and see anything in the tables. They should be restricted from entries which are not theirs and only be able to edit their own files. The master table (nation) is connencted to an USER ID.

The debug modus doesn't show any mistake and I cant see whats wrong.

This is the used code:
Code: Select all
<?PHP
class tables_nation{
    function getTitle(&$record){
        return $record->val('nation_name');
    }
      function getPreferences(){
      $mytable =& Dataface_Table::loadTable('nation'); // load the table named 'transcripts'
      $auth =& Dataface_AuthenticationTool::getInstance();
      $user =& $auth->getLoggedInUser();
      if ( $user and $user->val('Role') != 'MANAGER' ){
      //We apply the security filter to non admin users.
      $mytable->setSecurityFilter(array('nation_owner'=>$user->val('UserID')));
      }      
      return array(); // Mandatory!! getPreferences() must return array.
   }
}
?>


Thx and good night

mo
Last edited by Mourice on Thu Jul 26, 2012 2:39 am, edited 1 time in total.
Mourice
 
Posts: 6
Joined: Mon Jun 04, 2012 3:44 am
Top

Re: Security filters

Postby shannah » Wed Jul 25, 2012 1:48 pm

Change
Code: Select all
$mytable->setSecurityFilter(array('nation_owner'=>$user->val('UserID')));

to
Code: Select all
$mytable->setSecurityFilter(array('nation_owner'=>'='.$user->val('UserID')));


-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm
Top

Re: Security filters

Postby Mourice » Wed Jul 25, 2012 2:24 pm

Hi Steve,

thx for the quick reply. I changed the line but there is no difference. My master table is hooked to the users by a nation_owner entry in the fields.ini ...

[nation_owner]
widget:label="Nation Owner"
widget:description=""
widget:type=hidden

which is manually updated with the right user_id.

Could that be the problem?
Mourice
 
Posts: 6
Joined: Mon Jun 04, 2012 3:44 am
Top

Re: Security filters

Postby shannah » Wed Jul 25, 2012 2:51 pm

Not enough information to comment. You'll need to do some debugging. E.g. make sure you have the column names exactly correct in the security filter (case sensitive), and check at each step to see what values are in your user records and the resulting records.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm
Top

Re: Security filters

Postby Mourice » Thu Jul 26, 2012 2:37 am

I did some debugging but it didn't show anything and I quadriplechecked the writing (case sensitive). Maybe the mistake is too obvious. It would be nice if you could do a quick check...
The column in the master table (nation) is named: nation_owner and contains the UserID from the slave table (users). To check the access authority there is a global delegateclass.php

This is my slave table:
Code: Select all
Name   Typ        Kollation     Attribute        Null   Standard      Extra
1      UserID     int(11)                        Nein   kein(e)   AUTO_INCREMENT   
2      eMail      varchar(40)   utf8_general_ci   Ja      NULL      
3      UserName   varchar(32)   utf8_general_ci   Ja      NULL      
4      Password   varchar(32)   utf8_general_ci   Ja      NULL
5      Role       text          utf8_general_ci   Ja      NULL


There are only two roles: OWNER and MANAGER.

This is the permissions.ini:
Code: Select all
;;------------------------------------------------------------------------------
;; The READ ONLY role is allowed to view records and perform the show all
;; and find actions.  Basically, anything that doesn't require making changes
;; is allowed with the READ ONLY permission

[READ ONLY]
view in rss=0
view = 1
link = 1
list = 1
calendar = 1
view xml = 0
show all = 1
find = 1
navigate = 1
ajax_load = 1
find_list = 1
find_multi_table = 1
rss = 0
export_csv = 0
export_xml = 0
export_json = 0
view related records=1
related records feed=0
expandable=1
;;------------------------------------------------------------------------------
;; The EDIT role extends the READ ONLY role so that anyone who can edit can also
;; READ.  It is pretty far reaching, as it provides permissions to edit records,
;; and manipulate the records' relationship by adding new and existing records
;; to the relationship.

[EDIT extends READ ONLY]
edit = 1
add new related record = 1
add existing related record = 0
add new record = 1
remove related record = 1
reorder_related_records = 1
import = 1
translate = 1
new = 1
ajax_save = 1
ajax_form = 1
history = 1
edit_history = 1
copy = 1
update_set = 1
update_selected=1
select_rows = 1
;;------------------------------------------------------------------------------
;; The DELETE role extends the EDIT role but adds the ability to delete
;; records and related records also.  Notice that the EDIT permission allows
;; the removal of related records but not the deletion of the records.  This is
;; relevant with ONE TO MANY relationships in which a record can only be removed
;; if the related record is deleted.

[DELETE extends EDIT]
delete = 1
delete found = 1
delete selected = 1
;;------------------------------------------------------------------------------
;; The EDIT AND DELETE role is basically an alias of the DELETE role.

[EDIT AND DELETE extends EDIT, DELETE]
;;------------------------------------------------------------------------------
;; The OWNER role is encapsulates the permissions that the owner of a record
;; should have.  It allows full access to the current record, but not necessarily
;; full access to the table.

[OWNER extends EDIT AND DELETE]
;;------------------------------------------------------------------------------
;; The ADMIN role allows full acccess .. kind of like ALL
[ADMIN extends EDIT AND DELETE]
xml_view=1

[MANAGER extends ADMIN]
manage=1
manage_output_cache=1
manage_migrate=1
manage_build_index=1
install = 1


And the delegateclass.php from /conf/ApplicationDelegate.php:
Code: Select all
<?
/**
* A delegate class for the entire application to handle custom handling of
* some functions such as permissions and preferences.
*/
class conf_ApplicationDelegate {
    /**
     * Returns permissions array.  This method is called every time an action is
     * performed to make sure that the user has permission to perform the action.
     * @param record A Dataface_Record object (may be null) against which we check
     *               permissions.
     * @see Dataface_PermissionsTool
     * @see Dataface_AuthenticationTool
     */
     function getPermissions(&$record){
         $auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
             // if the user is null then nobody is logged in... no access.
             // This will force a login prompt.
         $role = $user->val('Role');
         return Dataface_PermissionsTool::getRolePermissions($role);
             // Returns all of the permissions for the user's current role.
      }
}
?>


Thanks very much...
Mourice
 
Posts: 6
Joined: Mon Jun 04, 2012 3:44 am
Top
Post a reply

Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 5 guests

Powered by phpBB® Forum Software © phpBB Group
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved