DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Filter not posted while uploading file

Filter not posted while uploading file

nessinitsnessinits Posts: 86Questions: 27Answers: 0
in Free community support

Hi,

I'm trying to filter the results on my table on a specific id (foreign_id), so I only return the child records that are related to a specific parent record (1-on-n relation in a parent-child solution).

****// DataTables PHP library
include( "lib/DataTables.php" );

// Alias Editor classes so they are easy to use
use
    DataTables\Editor,
    DataTables\Editor\Field,
    DataTables\Editor\Format,
    DataTables\Editor\Mjoin,
    DataTables\Editor\Options,
    DataTables\Editor\Upload,
    DataTables\Editor\Validate;

// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'document' )
    ->fields(
        Field::inst( 'foreign_id' ),
        Field::inst( 'description' ),
        Field::inst( 'type_id' ),
        Field::inst( 'publishdate' ),
        Field::inst( 'active' ),
        Field::inst( 'uuid' )
            ->setFormatter( 'Format::ifEmpty', null )
            ->upload( Upload::inst( $_SERVER['DOCUMENT_ROOT'].'/site/workload/documents/n__ID__.__EXTN__' )
                ->db( 'files', 'id', array(
                    'filename'    => Upload::DB_FILE_NAME,
                    'filesize'    => Upload::DB_FILE_SIZE,
                    'web_path'    => Upload::DB_WEB_PATH,
                    'system_path' => Upload::DB_SYSTEM_PATH
                ) )
                ->validator( function ( $file ) {
                    return$file['size'] >= 500000 ?
                        "Files must be smaller than 500K" :
                        null;
                } )
                ->allowedExtensions( array( 'png', 'jpg', 'gif' ), "Please upload an image" )
            )
    )
    ->where( 'foreign_id', $_POST['foreign_id'] )
    ->process( $_POST )
    ->json();
****

Because of the filter on the child records, I post the foreign_id to the server side php, but when I upload the file the foreign_id isn't posted and it results in a warning (notice). Not posting the foreign_id to filter the results means that the whole table is returned with a security issue that everyone can see each others data. I'm stuck on this issue and I hope someone knows a solution.

Kind regards,
nessinits

Replies

  • nessinitsnessinits Posts: 86Questions: 27Answers: 0

    I believe I have solved the problem partially.

    I've added the foreign_id as GET in the ajax request (as a part of the url defined). The document results are limited to the records matching the foreign_id, now.

    However the server side response still returns every file in the files table now. I've no idea how I can limit the result on this.

  • nessinitsnessinits Posts: 86Questions: 27Answers: 0

    Some additional information:

    {"data":[{"DT_RowId":"row_5","foreign_id":"150eff70-0661-11e7-b4ea-fb89b904e985","description":"Test 23.11","type_id":"11","publishdate":"2017-03-24","active":"1","uuid":"15"}],
"options":[],
"files":{"files":{
"1":{"id":"1","filename":"client-pic1.jpg","filesize":"3899","web_path":"\/upload\/1.jpg","system_path":"\/home\/plob347868\/domains\/uzbc.nl\/public_html\/upload\/1.jpg"},
"2":{"id":"2","filename":"client-pic1.jpg","filesize":"3899","web_path":"\/site\/workload\/documents\/2.jpg","system_path":"\/home\/plob347868\/domains\/uzbc.nl\/public_html\/site\/workload\/documents\/2.jpg"},
"3":{"id":"3","filename":"eTicket_1.pdf","filesize":"107489","web_path":"\/site\/workload\/documents\/3.pdf","system_path":"\/home\/plob347868\/domains\/uzbc.nl\/public_html\/site\/workload\/documents\/3.pdf"},
...
"13":{"id":"13","filename":"1465302837_icontexto-green-01.png","filesize":"10534","web_path":"\/site\/workload\/documents\/n13.png","system_path":"\/home\/plob347868\/domains\/uzbc.nl\/private_html\/site\/workload\/documents\/n13.png"},
"14":{"id":"14","filename":"1465302959_phone_application-12.png","filesize":"3922","web_path":"\/site\/workload\/documents\/n14.png","system_path":"\/home\/plob347868\/domains\/uzbc.nl\/private_html\/site\/workload\/documents\/n14.png"},
"15":{"id":"15","filename":"1465302729_Sunrise.png","filesize":"12409","web_path":"\/site\/workload\/documents\/n15.png","system_path":"\/home\/plob347868\/domains\/uzbc.nl\/private_html\/site\/workload\/documents\/n15.png"}}}}

    Only the last file (id 15, because it matches uuid 15 in the data) should be in the response. Hope someone knows what I'm doing wrong.

  • nessinitsnessinits Posts: 86Questions: 27Answers: 0

    Could this be a security issue?

  • tangerinetangerine Posts: 3,350Questions: 37Answers: 394

    Your "where" condition has no operator.
    https://editor.datatables.net/manual/php/conditions#Simple-usage

  • nessinitsnessinits Posts: 86Questions: 27Answers: 0

    Don't believe that's the problem:
    operator - The conditional operator (e.g. =, <, >, etc). This parameter is optional - the default is =.

  • tangerinetangerine Posts: 3,350Questions: 37Answers: 394

    Ah - sorry, didn't see that.

  • allanallan Posts: 61,716Questions: 1Answers: 10,108 Site admin

    Currently the Upload class does not have its own where condition - that is something that I will look into adding for a future release.

    It could be considered a security issue if you don't want all of the files to be listed (although it is worth noting that it would be trivial to change the GET parameter allowing the end user to find the other files, so a where for the upload alone wouldn't solve that).

    Allan

  • nessinitsnessinits Posts: 86Questions: 27Answers: 0

    Thanks for your help, Allan.

  • nessinitsnessinits Posts: 86Questions: 27Answers: 0

    This discussion can be closed

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.