User ID Security

This public forum is for user-to-user discussions of PHPMaker. Note that this is not support forum.
Post Reply
konfuzion
User
Posts: 378

User ID Security

Post by konfuzion »

I added a new security_uid INT field and initial value is NULL
I set up the Advanced Security - User ID correctly for the table and re-generated all

but even with normal user logged in, I can see the records after enabling User ID Security
I thought with NULL, users can't see any record
I set security_uid = 1 and still all records are viewable

what else do I need to do?


mobhar
User
Posts: 11660

Post by mobhar »

Have you followed this tutorial?


konfuzion
User
Posts: 378

Post by konfuzion »

Figured it out, the account logged in was also admin of the table in userpriv page
so that means table admin overrides user id security
after disabling table admin and relogin, the records disappeared as expected


konfuzion
User
Posts: 378

Post by konfuzion »

employee_id INT worked fine for 1 employee

I changed employee_id to VARCHAR and entered "3, 4"
only employee_id 3 can view the record
employee_id 4 cannot view the record

The situation is admin needs to create a document and assign different users to access view/edit this document. I was planning to create a multi-select of userlist. But it seems employee_id to VARCHAR multi user access is not supported.

Is there a way to do this using custom server events?


konfuzion
User
Posts: 378

Post by konfuzion »

I'll try the UserID_Loading method and see if it's useable. At least this method can assign to one parent and then let multiple-children access the document.

But this userid_loading method will make my USERS table weird

Say I have PROJECT1 with Amy, Bob, Eliza assigned to it and don't want all children to have access to it.

So then I will have to create a user named PROJECT1, and then Amy, Bob, Eliza reports_to PROJECT1
Then admin will create the record and assign it to PROJECT1

Then users will use the userid_loading method to become parentID
then Amy, Bob, Eliza will have access to PROJECT1 records.

That means Users tables has become like a Group permissions table if I choose to use it this way


konfuzion
User
Posts: 378

Post by konfuzion »

Using Demo2023
nancy = EmployeeID 1
janet = EmployeeID 3

  • Login as nancy and janet in demo2023 on orders table

  • open phpmyadmin, change orders table/EmployeeID field to varchar

  • login as nancy

  • go to orders table

  • all records will display Employe ID column with "Davolio, Nancy"

  • first record is Order ID 11077

  • go to phpmyadmin and edit Order ID 11077 and change employee from 1 to 1,3

  • logout

  • login as nancy goto orders table

  • you will see Order ID 11077 button dropdown disappears and no view/copy/master/detail dropdown button

  • other orders are normal, have dropdown button with view/add/master/detail

  • Employee ID field shows 1,3 (before showed "Davolio, Nancy")
    (at least nancy can still see Order ID 11077)

  • logout

  • login as janet

  • go to orders table

  • all records will display Employe ID column with "Leverling, Janet"

  • Cannot find Order ID 11077 with Employee_ID "1,3"


arbei
User
Posts: 9286

Post by arbei »

konfuzion wrote:

  • go to phpmyadmin and edit Order ID 11077 and change employee from 1 to 1,3

That won't work. Multiple User ID is for the Parent User ID Field of the user table only.


mobhar
User
Posts: 11660

Post by mobhar »

You may use Recordset_Selecting server event for such case.


bkonia
User
Posts: 141

Post by bkonia »

I need to allow multiple users in the User ID field for a table. I realize PHPMaker doesn't support this, but I worked around it by modifying the filter in UserID_Filtering:

$filter = "FIND_IN_SET(id, '$facility_ids')";

However, I believe that modifying the filter only affects the List view. I'm pretty sure this won't allow multiple users to edit a record. Is there a more elegant way to allow multiple users permissions on a record? For example, a security function that you could call in TablePermissions_Loaded, to which you could pass an array of record IDs that the current user should have access to in the current table.


arbei
User
Posts: 9286

Post by arbei »

To have many-to-many relationships, you may use an intermediate table mapping your records and user ID. You may google "intermediate table" for more info.


bkonia
User
Posts: 141

Post by bkonia »

I know how intermediate tables work, and I use them all the time. However, I don't understand how I can apply this to User ID security in PHPMaker. I have a field user_ids which contains a comma separated list of user IDs who should have access to records within the table. For example, is there a function I can call from TablePermission_Loaded to pass a list of record IDs that the current user should have access to?

As I mentioned, I'm able to make this work on the list page by modifying the filter, in UserID_Filtering, but I'm pretty sure that won't work on the edit page? Or will it? How does PHPMaker determine whether the current user has permissions to edit a record?


arbei
User
Posts: 9286

Post by arbei »

You may create a view from the table and the intermediate table so that each record in the view has only one User ID, then you may apply the User ID Security to the view as usual.

TablePermission_Loaded server event is for User Level Security which is table level, not record level.


Post Reply