2. ASPRunnerPro General questions
  3. Row Level Permissions
This topic is locked

Row Level Permissions

 		11/2/2009 8:25:29 AM
ASPRunnerPro General questions
M
 mccreelake author

Hi I am pulling this post over from the PHPRunner Forum. posted by accident...



Advanced Member
Group:

Members Posts:

37 Joined:

11-April 08 Posted 31 October 2009 - 11:48 AM
Hi,
I use BEFORE SQL QUERY events to add where clauses to SQL statements in ASPRunner in order to implement row level security based on users who are logged in.
Everything works fine, but I just noticed an issue that I didn't realize before.
Let's say I have a list page that has a before sql query event. It works great filtering based on user. On that page, each record has a link to another list page for sub-records (via ASPRunner page joining).
The user clicks the link to go to the sub-list page. In the URL, there is a query string with the primary key value from the master table. Despite the fact that the Before SQL Query event is imposed on the master list page, the user can go up and change that value and the master table values will display if they pick a primary key value that exists even if it was not in the data set limited with the strWhereClause. On this sub-list page I have strWhereClause imposed as well, so if they change it to a data set on which they don't have permissions, no records display, but if they click the add button from the sub-list page they can add records using the value in the query string.
Is there a possible work-around for this? I hope what I am saying makes sense. Thanks.


Jane's reply was:

Hi,

you can select all allowed master ids for current user and add another where clause on the detail list page.

Here is just a sample:
master_ids = "1,2,3"strWhereClause = whereAdd(strWhereClause,"FieldName in (" & master_ids & ")")
Also I recommend you to post ASPRunnerPro questions on the ASPRunnerPro forum:

http://www.asprunner...eral-questions/

M
 		mccreelake author 11/2/2009

Thanks for the help Jane. I am already using additional whereadd's on the details pages; however, that is still allowing for users to change the master table primary key value. While no records show up on the detail page when they do this, users can still change the value and hit the add button and add detail records to that master record even if they don't have permissions.
What I noticed after some testing is that the where clause used in the BeforeSQL event on the master page does not apply to the master table that shows on top of the detail page. Is there an easy way to apply the master table sql where clause to the master table record info on the details page?
At this point, I have written some code for the BeforeDisplay event on all the add pages from detail list pages that makes sure the user has permissions on that ID.



'Checks for permissions on foreign key field(s).

SQL_Check = "SELECT COUNT(*) FROM MassCommunications_Permissions WHERE MassCommunications_MassCommunicationID = " & Session(strTableName & "_masterkey1")

SQL_Check = SQL_Check & " AND Clients_ClientID = " & Session("ClientID")

Set RS_Check = CreateObject("ADODB.RecordSet")

RS_Check.Open SQL_Check, dbConnection
If RS_Check(0) <= 0 Then

RS_Check.Close : Set RS_Check = Nothing

Session.Abandon

Response.Redirect("/portal")

End If


If I have to use this, it will be fine; it is just time consuming b/c each page has to be tweaked depending on the permissions tables that are used.
Let me know what you think.
Thanks!
Thanks,
McCree
J
 		Jane 11/2/2009

Hi,
unfortunately Before SQL query event doesn't work for master preview.

You need to check permissions in the Before display orBefore process event for detail table.