[SOLVED] Looking for better user view control

This topic is locked

[SOLVED] Looking for better user view control	12/22/2011 9:01:50 AM
PHPRunner General questions
C crhys author Hi, This query may have been answered before but I cannot find the answer, I am looking for a better way to stop users seeing records that are not applicable to them. My application has an Admin and a User level, users can only view and edit record relating to their own account and Admins can view & edit all records (sounds easy but I am having some issues). I have installed this application on 3 subdomains and recently one of the installations is giving me problems, when an Admin tries to create a user account their own UserID is overwriting the new users UserID, and so I get the PHP 256 error, Duplicate entry for key 1. I am using the Advanced Security option "Users can see and edit their own data only" which is required to stop users seeing each others records, is there a better way to do this ? Could I create an event to only list records relating to the logged in user, unless they are an admin where they can see all records ? Any help appreciated <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=question&id=18579&image=1&table=forumtopics' class='bbc_emoticon' alt=':)' /> And happy xmas to you all :-D

Mark as Solved Mark as not solved

5 replies


C	chuckbower 12/22/2011
	You can add code to the "Before SQL Query" event on all the appropriate pages (List, View, Edit, Export, etc): Example: $strWhereClause = whereAdd($strWhereClause , "(Table.useriid = '" . $_SESSION["useriid"] . "' "); This assumes you have the user's internal ID or user id value in each table (which you should) and at the Login Page event "After successful login" you also store such value in a session variable such as "useriid" above. Example: $_SESSION["useriid"] = $data["useriid"]; (where useriid is the internal ID or user id value from your user-login table) Does this make sense? Hi, This query may have been answered before but I cannot find the answer, I am looking for a better way to stop users seeing records that are not applicable to them. My application has an Admin and a User level, users can only view and edit record relating to their own account and Admins can view & edit all records (sounds easy but I am having some issues). I have installed this application on 3 subdomains and recently one of the installations is giving me problems, when an Admin tries to create a user account their own UserID is overwriting the new users UserID, and so I get the PHP 256 error, Duplicate entry for key 1. I am using the Advanced Security option "Users can see and edit their own data only" which is required to stop users seeing each others records, is there a better way to do this ? Could I create an event to only list records relating to the logged in user, unless they are an admin where they can see all records ? Any help appreciated <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=63211&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' /> And happy xmas to you all :-D


C	crhys author 12/22/2011
	Hi Chuck, That makes sense, I have just switched off the Advanced Security option for "Users can only view and edit their own data" and the Admin can add new users without that silly error. There is a little issue with the formatting of the example you gave, it creates a PHP error <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=63212&image=1&table=forumreplies' class='bbc_emoticon' alt=':(' /> Event Code: $strWhereClause = whereAdd($strWhereClause , "(UserData.UserName = '" . $_SESSION["useriid"] . "' "); Error Message: select count(*) FROM UserData where (UserData.UserName = ''


C	crhys author 12/22/2011
	Hi Again, Just fixed the code and it works <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=63213&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' /> Only little issue now is that the admin can only see his/her record as well... hmmmm Code: $strWhereClause = whereAdd($strWhereClause,"UserData.UserName ='".$_SESSION["UserID"]."'");


C	crhys author 12/22/2011
	I found a fix, its not perfect but I will work on it. Code : if ($_SESSION["UserID"]<>"AdminsLoginID") $strWhereClause = whereAdd($strWhereClause,"UserData.UserName ='".$_SESSION["UserID"]."'");


C	chuckbower 12/22/2011
	Chrys, You can make the expression as complex as you would like. Example: $strWhereClause = whereAdd($strWhereClause,"UserData.UserName ='".$_SESSION["UserID"]."' OR '" . $_SESSION["eugroup"] . "' = 'admin' "); In this example, column eugroup is the group from your user login table. In the After Login Successful event, also put that into a session variable. I think I have the syntax correct in this. Just make sure you use the "whereAdd". I have forgotten and directly modified the Where string, and that will give you unsatisfactory results most of the time. If you upload and test, just don't forget to log out of your app, then log back in, so the session variables get set from within the After Login Successful event. :-) I can't tell you how many times I have not done so when using something from that event, then kicked myself when I finally realized my mistake. Chuck Hi Again, Just fixed the code and it works <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=63215&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' /> Only little issue now is that the admin can only see his/her record as well... hmmmm Code: $strWhereClause = whereAdd($strWhereClause,"UserData.UserName ='".$_SESSION["UserID"]."'");

5 replies

Mark as Solved Reply