DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Need Example Showing Prevention of Privilege Escalation

Need Example Showing Prevention of Privilege Escalation

luckily909luckily909 Posts: 4Questions: 1Answers: 0
in Free community support

Hi
I am referring to this page:
https://editor.datatables.net/manual/security
where the example given is:
Editor::inst( $db, 'staff' )
->fields(
Field::inst( 'name' )
->set( $_SESSION['access']['editing'] )
Field::inst( 'location' )
->set( $_SESSION['access']['editing'] )
Field::inst( 'salary' )
->get( $_SESSION['access']['admin'] )
->set( $_SESSION['access']['admin'] )
);

For trying this feature, I have set the following session variables at the page where my user logs in:
if($row['authLevel']==2)
{
$_SESSION['access']['admin']=1;
$_SESSION['access']['editing']=1;
}
else
{
if($row['authLevel']==1)
{
$_SESSION['access']['admin']=0;
$_SESSION['access']['editing']=0;
}
}

AND then have tried instantiating the fields exactly as you have given above. The problem is that when I login with a user given an authLevel of 1, he is still able to edit the data in the fields....

Please tell me how to implement this column access privilege feature with a more detailed example than given in the documentation. Additionally, it would also be great if there was an inbuilt way in editor/datatables to restrict the rows that would be displayed based on a user's access privilege.
Thanks!

Answers

  • allanallan Posts: 61,831Questions: 1Answers: 10,133 Site admin
    edited March 2016

    There isn't an Editor example showing how to handle sessions as such since there are so many different ways of doing sessions. It is not an area I want to take Editor into.

    Having said that it absolutely should provide the hooks required to integrate it with session management software, and the Field::set() method is the place to start, as you have done.

    You need to pass in a boolean value rather than an integer though. This should do it:

    ->set( $_SESSION['access']['editing'] === 1 )

    Should the user then manage to submit data for editing it would be rejected (or rather simply wouldn't be written). Of course the UI should not make it possible for the user to submit edited data at that point though.

    Additionally, it would also be great if there was an inbuilt way in editor/datatables to restrict the rows that would be displayed based on a user's access privilege.

    Sounds like you want to use a where condition.

    Regards,
    Allan

    edit Ordering

  • luckily909luckily909 Posts: 4Questions: 1Answers: 0

    Thanks for your prompt reply! I have just started using the dataTables for a personal project and I am javascript noob. I am searching around the website for examples of the Where Condition implementations, and hopefully will be able to implement this soon. Thanks once again!

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.