2. PHPRunner General questions
  3. Filter access for users
This topic is locked

Filter access for users

 		2/14/2009 4:01:51 PM
PHPRunner General questions
S
 sandrotab author

I ask you please help for a problem that can not be resolved.
I have users that when they access should be able to see data based on the selection criteria, the filter area.
For example, I have 3 tables:

tab_utenti(Master table) fields: id, user, password, active

Abilitaz_filtro (detail table) fields: id, user, codice_zona

tab_Clienti fields: id, name, codice_zona
The user1that has enabled zones 1,2,3,4,5 must see only the customers tab_Clientiwith codice_zona = 1,2,3,4,5
The user2has enabled the zones 2 and 4 should see only tab_Clienticustomers with codice_zona = 2 and 4
I tried to find the solution in "security"

Advanced security settings, I set "User can see and edit their own data only"

Users Table: (tab_utenti) codice_zona

Main Table: OwnerID feels (Clients) Codice_zona
I tried also in User Group Permissions

Static and Dynamic permissions permission
But in these solutions is not provided the type of association 1 to "N"
How do I fix this? Can you kindly help me?
J
 		Jane 2/16/2009

Hi,
Unfortunately PHPRunner do not support multiple OwnerID values.

You need to implement it manually using Before SQL query event on the Events tab.
To add where clause to the main SQL query use whereAdd function. Here is a sample:

$strWhereClause = whereAdd($strWhereClause,"FieldName=1 or FieldName='2' or FieldName='3'");
S
 		sandrotab author 2/17/2009

Hi,

Unfortunately PHPRunner do not support multiple OwnerID values.

You need to implement it manually using Before SQL query event on the Events tab.
To add where clause to the main SQL query use whereAdd function. Here is a sample:


Thanks Jane,

but in future it will be possible to handle this situation?
Or, to be able to manage this problem, I can edit the file login.php?
//-----------------------------------------------------------------

$rs=db_query($strSQL,$conn);

$data=db_fetch_array($rs);

if($data && @$data[$cUserNameField]==$sUsername && @$data[$cPasswordField]==$sPassword)

{

$_SESSION["UserID"] = $pUsername;

$_SESSION["AccessLevel"] = ACCESS_LEVEL_USER;
$_SESSION["GroupID"] = $data["Utente"];

if($_SESSION["GroupID"]=="admin")

$_SESSION["AccessLevel"] = ACCESS_LEVEL_ADMINGROUP;
$_SESSION["OwnerID"] =$data["Codice_Filtro"];

$_SESSION["_clienti_OwnerID"] = $data["Codice_Filtro"];

$_SESSION["_contatti_OwnerID"] = $data["Codice_Filtro"];

//-----------------------------------------------------------------
instead of using the string = $data["Codice_Filtro"];

according to your opinion, can I please use the command: IN SELECT
if this is possible, you can give me an example?
If the problem is not very clear, I can send you an example PHPRunner5 including a small mysql database?
Thanks for your valuable cooperation and quick ...
J
 		Jane 2/18/2009

Hi,
to change where clause check SecuritySQL function in the generated include/commonfunctions.php file.
S
 		sandrotab author 2/20/2009

Hi,

to change where clause check SecuritySQL function in the generated include/commonfunctions.php file.


Hello Jane,

I found the string of code that will carry over in a row, but you can suggest how to change it, or I can give an example of how the user can access using a subselects from another table, type IN (SELECT ZONE FROM TableName WHERE .. ..) if you are not an administrator.
Thanks as always for your help.
//--------------------------------------------------------------------------

// add security WHERE clause to SELECT SQL command

function SecuritySQL($strAction)

{

global $cAdvSecurityMethod,$strTableName;

$ownerid=@$SESSION["".$strTableName."_OwnerID"];

$ret="";

if(@$_SESSION["AccessLevel"]==ACCESS_LEVEL_ADMIN)

return "";

$ret="";
$strPerm = GetUserPermissions();
if(strpos($strPerm,"M")===false)

{

if($strTableName=="cde")

{

$ret=GetFullFieldName(GetTableOwnerID())."=".make_db_value(GetTableOwnerID(),$ownerid);

}

if($strTableName=="clienti")

{

$ret=GetFullFieldName(GetTableOwnerID())."=".make_db_value(GetTableOwnerID(),$ownerid);

}

//--------------------------------------------------------------------------
J
 		Jane 2/20/2009

Hi,
Here is a sample:

$ret=GetFullFieldName(GetTableOwnerID())." in (".make_db_value(GetTableOwnerID(),$ownerid).")";
S
 		sandrotab author 2/22/2009

Hi,

Here is a sample:


Thanks Jane,

the method seems to work, but how can I not apply it to the Admin, but apply only to non-Admin?
Furthermore, I could use the IN (SELECT ...)

Example:

$ret=GetFullFieldName(GetTableOwnerID())." in ("select Zona from `abilitaz_filtro` where Codice='".db_addslashes($_SESSION["UserID"])."'";
But the system I report an error in the syntax
S
 		sandrotab author 3/1/2009



Thanks Jane,

the method seems to work, but how can I not apply it to the Admin, but apply only to non-Admin?
Furthermore, I could use the IN (SELECT ...)

Example:

$ret=GetFullFieldName(GetTableOwnerID())." in ("select Zona from `abilitaz_filtro` where Codice='".db_addslashes($_SESSION["UserID"])."'";
But the system I report an error in the syntax


Hi Jane,

I understood that to solve the problem as you have suggested implement it manually using Before SQL query event on the Events tab.
We ask you to help me correct the following code:
global $conn;

$query = "SELECT Zona FROM Abilitaz_filtro WHERE utente='".$_SESSION["UserID"]."'";

$res = db_query($query, $conn);

$row = db_fetch_numarray($res);

$strWhereClause = "Zona=$query";
I have a table "Customers" and I want that every user who logs on to this table, I can filter only its customers, namely those of his own zone.

This information is provided on the tables "Abilitaz_Filtro"
id, utente, zona

1 Rossi 10

2 Rossi 13

3 Rossi 18

4 Pluto 10

5 Mario 13

6 Mario 20
At this point I would like each user can see only the customers of their areas as per the table above.
If you need you send the application to see if you can resolve this issue.
Thank you very much as always for your valuable help, I hope you can resolve this issue
J
 		Jane 3/2/2009

Hi,
see my changes below:

$strwhere = "";

global $conn;

$query = "SELECT Zona FROM Abilitaz_filtro WHERE utente='".$_SESSION["UserID"]."'";

$res = db_query($query, $conn);

while ($row = db_fetch_numarray($res))

$strwhere.=$row["Zona"],",";

$strwhere = substr($strwhere,0,-1);

$strWhereClause = whereAdd($strWhereClause,"Zona in (".$strwhere.")");
S
 		sandrotab author 3/2/2009

Hi,

see my changes below:


Hi Jane,

Unfortunately the system I have a syntax error the following line:

$strwhere.=$row["Zona"],",";
You can help me solve?
A
 		alang 3/2/2009

Try $strwhere.=$row["Zona"].",";