User & Admin rights (Security)

WABez · Post by **WABez** » Sun Aug 20, 2017 3:37 am

So I have my "user" table in the DB, that is used for the "user registration system" (with the relevant fields).

Here is what I am struggling with, if anyone has any ideas, it will be appreciated:

So a user can register himself/herself - that is ok,
A specific user on the system MUST be able to "manually" register/add a new user - this is what I'm struggling with

If I log in as ADMIN:

I can "manually" register the user, the system then redirects to a detail page to capture detail information about the person.
The "Page_Redirecting" function work as intended (when logged in as "Admin"),
I can capture the detail information as required, no problem, i.e. localhost\myurl\userdetailadd.php?showmaster=user&fk_userid=123&other_paramid=2)
NOTE: The ?showmaster=user&fk_userid=123 shows up in the URL).

BUT when I log in as the USER (handling registrations "manually"):

I can "manually" register the user BUT I cannot set the permissions (I need to be able to set the permissions)
The system then redirects to the detail page to capture detail information about the person, EXCEPT for one thing, the UserID DOES NOT APPEAR in the URL parameters, i.e. localhost\myurl\userdetailadd.php?showmaster=user&fk_userid=&other_paramid=2)
NOTE: The ?showmaster=user&fk_userid=XXXX does not show up in the URL and hence I cannot add the detail data.

How can I either solve this, OR assign "ADMIN" right to this user.

I have read the Advanced Security, and Sever events in the help file, but I'm still missing something. To try and assign something in "TablePermission_Loading" does not seem to work the way I need it to work. Any ideas would be greatly appreciated.

arbei · Post by **arbei** » Mon Aug 21, 2017 10:39 am

I can "manually" register the user BUT I cannot set the permissions (I need to be able to set the permissions)
Note that only the hard-coded Administrator or the User with the "Administrator" user level got the right to manage the user privileges.
The system then redirects to the detail page to capture detail information about the person, EXCEPT for one thing, the UserID DOES NOT APPEAR in the URL parameters, i.e. localhost\myurl\userdetailadd.php?showmaster=user&fk_userid=&other_paramid=2)
NOTE: The ?showmaster=user&fk_userid=XXXX does not show up in the URL and hence I cannot add the detail data.
Can you post your code in Page_Redirecting so we can simulate your problem?

How can I either solve this OR assign "ADMIN" right to this user.
Setup the User Level of that user as the administrator with the hard-coded administrator.

WABez · Post by **WABez** » Mon Aug 21, 2017 12:43 pm

Thank you, however:

arbei wrote:

I can "manually" register the user BUT I cannot set the
permissions (I need to be able to set the permissions)
Note that only the hard-coded Administrator or the User with the
"Administrator" user level got the right to manage the user privileges.

Fully aware of this, i.e. ONLY "Administrator" have the rights to manage user priviledges

The system then redirects to the detail page to capture detail information
about the person, EXCEPT for one thing, the UserID DOES NOT APPEAR in the URL
parameters, i.e.
localhost\myurl\userdetailadd.php?showmaster=user&fk_userid=&other_paramid=2)
NOTE: The ?showmaster=user&fk_userid=XXXX does not show up in the URL and hence
I cannot add the detail data.
Can you post your code in Page_Redirecting so we can simulate your problem?

It is a Master/Detail setup, so |I need the "USER" table data first, and then redirecting to the detail table (as per the help file), i.e.:
$url = "userdetailadd.php?showmaster=user&fk_userid= " . urlencode(CurrentMasterTalbe()->userid->CurretnValue) . "&other_paramid=" . urlencode(CurrentMasterTalbe()->userid->CurretnValue)

Note that the page redirecting is working fine for "Administrator".

How can I either solve this OR assign "ADMIN" right to this user.
Setup the User Level of that user as the administrator with the hard-coded
administrator.

NOTE: This user MUST NOT have "Administrator" privileges for the system, but ONLY for the USER table/data, i.e. "useradd.php"

Thank you kindly.

WABez · Post by **WABez** » Mon Aug 21, 2017 1:46 pm

Maybe another view to help with my issue:

I have a receptionist that must be able to add users, i.e. without the user registering online himself/herself. So the receptionist cannot (and MUST NOT) have "Administrator" privileges for the system, but only when a user is "on-boarded", i.e. therefore she must have "FULL Admin" privileges for the "useradd.php" page only!

The "Administrator" privilege seem to affect the URL parameters that is passed as well (see previous posts w.r.t. the URL). So the page redirect works fine when logged in as "Administrator" (the hard coded "Administrator"), but when I try to assign "Administrator" privileges to the receptionist, it fails because "Administrator" privileges are required.

Thank you.

kirondedshem · Post by **kirondedshem** » Mon Aug 21, 2017 6:55 pm

I always find working with the default user table that is linked to security using a non admin user nearly impossible since the table has alot of embeded security features. So i always create a view out of the user able and user privilages tabale incase i need to let some other groups play with this info.

SO i suggest you create an editable view of the user table eg
CRETAE VIEW as select * from user;
Set up its field settings from scrath, DONT copy from user table as I found it embeds some of the previous security restrictions as seen on user table.
setup master/detail as required.
Then assign neccessary groups normal permissions to this view as it can also add, delete, edit etc but it wont have those embeded "require admin only" senarios

WABez · Post by **WABez** » Wed Aug 23, 2017 4:02 am

Thank you kirondedshem, I will try this.

edydeyemi · Post by **edydeyemi** » Wed Nov 22, 2017 9:06 pm

Here is what I did in a similar scenario when I had to build a HR Module:

I created different groups with their required permissions (using PHPMaker UserLevelPermissions table)
In my User Table, I made the 'User Level' a dropdown field, had it reference the UserLevels table as its lookup table, and set the UserlevelName as the display field.
I then created an editable view (let's call ig Registration Module) of the User Table and assigned (add, copy, view and edit) rights to the 'HR Officer'
Now HR Officer can create new users or modify existing users and set their rights by choosing the appropriate Level.

Mission accomplished! Hope this helps