I hope I can explain this well enough to get an answer. I'm going to make up a simple scenario that matches my project (which is much more complex).
Let's say we have a database that has these tables in it.
tbl_users
tbl_users2clients
tbl_client
tbl_software
tbl_hardware
I have used the tbl_users2clients to establish which clients belong to which user. Since there is overlap (some users have all clients, some clients have several users) I am using a many 2 many setup.
When a user views the tbl_client he should only see the clients he has access to. I setup a custom view in the database to join users/clients so I can display only those where the userID matches the logged in user.
The software and hardware tables are used to show which software/hardware each client has.
These are linked together in the table layout screen as a parent / child relationship.
Let's say user (Joe) logs in and clicks the client tab - he sees the clients he is assigned to and there is the child link that shows how many hardware/software each client has. He can click that and see the software for THAT client. I set security permissions so Joe has access to the tbl_software list and the tbl_hardware list.
the URL when he is looking at the software might look like this - software_list.php?mastertable=my_clients_list&masterkey=15
======== HERE IS MY QUESTION ==============
since I gave Joe permission to look at the software table he can actually manipulate that URL and change it from...
software_list.php?mastertable=my_clients_list&masterkey=15
TO
software_list.php
which gives his a view of software for ALL CLIENTS (even though I don't want him seeing clients he is not assigned to)
So, it looks like I am going to have to do a LOT of custom views to include the user ID in all these list pages so I can restrict the users from seeing stuff they should not.
Does this make sense?