The current user is not authorized to insert the record

alex · Post by **alex** » Mon Feb 19, 2024 4:28 am

Hello!

Please advice how to avoid the problem adding record using "Allow add" option: (v2024.8)

"The current user (11) is not authorized to insert the record. Master filter: debitorId = 10"

The most interesting thing is that if after getting this message just refresh (reload opened tab) debitorslist page then it allows to add record (popup window in previous tab).

User (11) has all permissions (dynamic user levels): add/edit/view/list/etc... (except Admin). It allows add records to all tables directly.

The structure is as follows:

Main table "loans" has "Allow add" option for fields "deditorId", "estateId" (from tables "debitors", "estate"). "estateId" field has "Parent field" and "Filter field" set "deditorId" in "Lookup table" settings.

The steps are as follows:

/loansadd?showdetail=
"Allow add" option for "deditorId" field - secces
"Allow add" option for "estateId" where parent is just added on previous step "deditorId" record (lets say debitorId = 10") - and here I get error.

If I remove Master/Detail relations then it works as expected. It also work if I change userlevelid for user (11) as "Administrator" or add checkbox "Admin" in table "User Level Permissions" for all tables for particular User Level.

I also tried to add check boxes for all tables in Table settings "Master/Detail Add (as Detail)" but it doesn't help.

arbei · Post by **arbei** » Mon Feb 19, 2024 8:49 am

If you have enabled User ID Security and the master table is protected, each record in the master table has a owner. The owner of the master record also owns the detail records by default. If you want to insert a detail record for a master record that is not owned by yourself, you are not authorized, unless you are the super admin, or belong to the Administrator User Level (if you have enabled User Level Security also).

alex · Post by **alex** » Tue Feb 20, 2024 12:20 am

arbei wrote:

If you have enabled User ID Security

Yes I did so each table has "user ID field" like in example 3. Set up User ID Security

and the master table is protected, each record in the master table has a owner. The owner of the master record also owns the detail records by default. If you want to insert a detail record for a master record that is not owned by yourself

"user (11)" has permissions to add records to master and detail tables (all tables). The problem is that phpmaker script doesn't allow to add detail record only if "user (11)" uses "Allow add" option (Add Option Page).

I need to find a solution to get around this (may be using Server Events or Client Scripts). Otherwise I won't be able to use master/detail relations together with "Allow add" option.

Please let me know if it is possible.

arbei · Post by **arbei** » Tue Feb 20, 2024 9:47 am

alex wrote:

"user (11)" has permissions to add records to master and detail tables (all tables).

Are you sure? That would mean all tables has User ID field, and all records in all tables's User ID field is set to 11.

Do not mix up User ID Security (which is record level) and User Level Security (which is table Level). The user has Add permission to the detail table (i.e. User Level Security) does not mean the user own the record (i.e. User ID Security) and has the right to insert detail record for a master record not owned by the user.

If you want to grant more User ID to the user (so the user can access other users' records), you may use UserID_Loaded server event.

alex · Post by **alex** » Tue Feb 20, 2024 5:54 pm

Yes. If "user(11)" added record to table "debitors" (lets say in our case "debitorId = 10") then i means that "user(11)" has the permission on record level of master table ("debitors") and this particular record has "debitors.user_id" field with is set to 11.

Besides:

If "user(11)" has no permission how it is possible that phpmaker allowes to add the same record directly to detail table ("estateadd") selecting same "debitorId = 10"?
And also as I wrote earlier it is allowed to add record using "Allow add" option just after refreshing debitorslist or estatelist page opened in other browser tab. How is it possible?

Please let me know if I am wrong.

arbei · Post by **arbei** » Tue Feb 20, 2024 10:17 pm

First, by master/detail table I means table with relationship defined in the project (see Master/Detail) and in this case the linked field is "debitorId".

If User ID Security is enabled for the master table "debitors" and the user(not 11) added the record with "debitorId = 10", then the user owns the record and the detail records of this master record in detail tables.

If you are user(11) and you try to insert a detail record with "debitorId = 10" to a detail table (e.g. "estate"), then you get the said error:
The current user (11) is not authorized to insert the record. Master filter: debitorId = 10

However, if you go to the detail table directly by clicking the main menu for the detail table (with cmd=resetall), the current master table in the session is reset. If the detail table itself is not protected by User ID Security (i.e. No User ID field set up for the table table), you can add record with debitorId = 10 because there is no active master table and therefore no known User ID.

You should avoid working simultaneously with multiple browser tabs because all tabs share the same PHP session. If you change/reset the current master/detail relationship (stored in session) in other tabs, it will affect the current tab unexpectedly also.

alex · Post by **alex** » Wed Feb 21, 2024 1:00 am

First, by master/detail table I means table with relationship defined in the project (see Master/Detail) and in this case the linked field is "debitorId"

Yes, Master table "loans" has two Detail tables (both has "user_added" fields updated by CurrentUserID() ):

"debitors" linked field is "debitorId" (loans.debitorId = debitors.id)
"estate" linked field is "debitorId" (loans.debitorId = estate.debitorId)

My logic says that if user(11) added record to Detail table "debitors" (lets say debitors.id = 10) it also has permission to add record to Detail table "estate" with selected estate.debitorId = 10. Why not? If user(11) ca do it directly from add page of table "estate" then why its not allow to do it using "Allow add" option from table "loans"?

If User ID Security is enabled for the master table "debitors"

Yes, enabled

and the user(not 11) added the record with "debitorId = 10"

user(11) added the record with "debitorId = 10" and it owns the record as I can understand

If you are user(11) and you try to insert a detail record with "debitorId = 10" to a detail table (e.g. "estate"), then you get the said error:
The current user (11) is not authorized to insert the record. Master filter: debitorId = 10

Perhaps I don't understand the logic but I found out one more interesting behavior:

If table "loans" previously had at least one record with "debitorId = 10" (together with "user_added" = 11) then it allows to add record to Detail table "estate" for user(11) with "debitorId = 10". If no - not allows.

How to explain - no idea.

Thank you anyway!

alex · Post by **alex** » Wed Feb 21, 2024 1:03 am

If User ID Security is enabled for the master table "debitors"

in or case "debitors" is Detail table of "loans". Same as "estate".

arbei · Post by **arbei** » Wed Feb 21, 2024 8:39 am

Note that each table has its own User ID field, see User ID. If a detail table has its own User ID field setup, it is protected like a normal table. If a detail table has not its own User ID field setup, it is not protected , but if its master table is with User ID field, the detail table is indirectly protected by the User ID of the master table. However, this replies on a existing master table stored in session. If the master table in session is reset or changed in the other tabs, the result becomes unexpected.

alex · Post by **alex** » Mon Mar 11, 2024 11:51 am

The problem has gone since v 2024.9 what is great!