orders & orderdetails linked by orderID with username security

This topic is locked

orders & orderdetails linked by orderID with username security	3/15/2007 7:02:55 PM
PHPRunner General questions
D dlpirl author Please help me understand how to use username security so only users creating an order can see and edit their own order. Obviously the orders table must be the master table of Orderdetails linked by orderID. However, what happens is that the username is not populated when entries are made in the orderdetails table, so username security does not work. How can I accomplish this so that security will be applied correctly?

Mark as Solved Mark as not solved

10 replies


J	Jane 3/16/2007
	Hi, you need to check off Use can see and edit their own records only security option and select OwnerID field in both Main Table: ownerID field and Users Table: OwnerID field dropdown boxes on the Advanced security settings dialog on the Security tab. To fill OwnerID field you can use Before record added event on the Events tab. Here is a sample: $values["OwnerIDField"]= $_SESSION["OwnerID"];


D	dlpirl author 3/16/2007
	Hi, you need to check off Use can see and edit their own records only security option and select OwnerID field in both Main Table: ownerID field and Users Table: OwnerID field dropdown boxes on the Advanced security settings dialog on the Security tab. To fill OwnerID field you can use Before record added event on the Events tab. Here is a sample: Thanks. I had done the former, but not the latter. It now appears to be working OK for end users in the 'wholesale' group, but now I have another issue... I want users in the 'sales' group -- not just those using the admin account -- to be able to edit items in orders and orderdetails. Their username could be placed in another field 'editby', but the ownerID field should remain unchanged so that the creator of the record still has access. Is this possible?


J	Jane 3/19/2007
	Hi, as I understand you need to use two fields as OwnerID: OwnerIDField and editby fields. You can do the following: save value of editby field in the $_SESSION variable in the Before record updated event on the Events tab build your project open generated include/commonfunctions.php file, locate SecuritySQL function, find this code snippet: if($strTableName=="TableName") { $ret=GetFullFieldName(GetTableOwnerID())."=".make_db_value(GetTableOwnerID(),$ownerid); } and replace it with this one: if($strTableName=="TableName") { $ret=GetFullFieldName(GetTableOwnerID())."=".make_db_value(GetTableOwnerID(),$ownerid)." or editby='".$_SESSION["editby"]."'"; }


D	dlpirl author 3/20/2007
	Hi, as I understand you need to use two fields as OwnerID: OwnerIDField and editby fields. Thanks, Jane. I did that and it appears to work, for any single username I place in the editby field, but this is not really quite what I was after. I want to be able to have any user who is a member of the 'sales' group to edit spcified tables such as orders, orderdetails, customers, etc. Is there a way to do this?


D	dlpirl author 3/23/2007
	I want to be able to have any user who is a member of the 'sales' group to edit spcified tables such as orders, orderdetails, customers, etc. Is there a way to do this? I am unable to create a global variable to contain the reference to the group, so that I can check security against it. I can get the group into a local variable in the 'After successful login' event (and echo it to verify), but after that I am not able to access the variable. I have tried various approaches including the method stated at http://expressionengine.com/knowledge_base..._php_variables/ as well as using $GLOBALS["x"] and $_SESSIONS["x"], but nothing that I have tried works. As the article at expressionengine.com states, I think the problem may have to do with PHP being used within a template and being processed by the PHP function eval() so that all variables are local. Can you please give me some guidance here?


J	Jane 3/23/2007
	Donald, you can save value of OwnerID to $_SESSION["aaa"] variable in the AfterSuccessfulLogin event on the Events tab and then use it in the include/commonfunctions.php file. If you have difficulties with it you can publish your project on Demo Account and post m a URL to your pages and I'll try to help you.


D	dlpirl author 3/23/2007
	you can save value of OwnerID to $_SESSION["aaa"] variable in the AfterSuccessfulLogin event on the Events tab and then use it in the include/commonfunctions.php file. Thanks, Jane. I was trying to use $_SESSION["aaa"] in other places than as input to a common function, such as writing the contents of the variable out next to the login ID on the menu page. Is that not possible?


J	Jane 3/26/2007
	Donald, to print your $_SESSION["aaa"] variable on the menu page with LoginID open menu.php file, find this line: $smarty->assign("username",$_SESSION["UserID"]); and replace it with this one: $smarty->assign("username",$_SESSION["UserID"].", ".$_SESSION["aaa"]);


D	dlpirl author 3/26/2007
	to print your $_SESSION["aaa"] variable on the menu page with LoginID open menu.php file, find this line: and replace it with this one: Thanks, Jane. It worked. Is there a way I can show the GroupID next to UserID on all pages without having to edit each one manually?


J	Jane 3/27/2007
	To show the GroupID next to UserID on all pages open C:/Program Files/PHPRunner3.2/source/list.php, find and modify following code snippet: ##if @BUILDER.bCreateLoginPage## $smarty->assign("userid",htmlspecialchars($_SESSION["UserID"])); endif Then rebuild your pages.

10 replies

Mark as Solved Reply