Each Row: How can I restrict access to EDIT(read only) based on user name

Each Row: How can I restrict access to EDIT(read only) based on user name

BalaKrishnanDhanuskodiBalaKrishnanDhanuskodi Posts: 45Questions: 17Answers: 0
edited December 2017 in Editor

Happy Evening one and all,

I was trying to explore the answer to below query but no luck, Have successfully completed the build of issue manager. Now, this was accessed by two groups of people. Group/user types are stored in the session.

I am not sure where to write the restriction? PHP or in JS, I thought it should be JS :/

Please refer Exhibit 1 the exhibit enclosed, any issues created by BALA should only be read-only for AUGUSTIN and vice versa. All I am looking is a syntax to control this access restriction using "User name" all the usernames are stored in the session.

Following is the code I use to capture username inside JS, but I am not sure on how to write read-only access to set specific column based on the user.

Below code to capture username in the Editor, read-only mode

{
"label": "Issue Raised by:",
"name": "iss_raised_by",
"type": "readonly",
"def": username
} ,

Exhibit 1

Answers

  • allanallan Posts: 63,516Questions: 1Answers: 10,472 Site admin

    Actually, I would say it should be PHP. If you do it in Javascript, any malicious user could trivial bypass that by marking it as a read / write field.

    The method I generally use is to serve up different Javascript based on the PHP session information. See also the security documentation for Editor which discusses this.

    Allan

  • BalaKrishnanDhanuskodiBalaKrishnanDhanuskodi Posts: 45Questions: 17Answers: 0

    Thanks a lot, Allan. Tried the following code and not working. I am still exploring the forum for an answer. I am a bit confused with Session here I am sure following is something like novice experiment, please bear with me.

    The user control session stored in $_SESSION['SESS_USER_NAME']

    Editor::inst( $db, 'issue_manager', 'id' )
        ->fields(
            Field::inst( 'iss_no' ),
            Field::inst( 'iss_summary' )
                ->validator( 'Validate::notEmpty' ),
            Field::inst( 'iss_description' )
                ->validator( 'Validate::notEmpty' ),
            Field::inst( 'iss_staus' ),
            Field::inst( 'iss_raised_by' )
                ->set( $_SESSION['iss_raised_by']['editing']==$_SESSION['SESS_USER_NAME'] ),
            Field::inst( 'iss_raised_on' ),
            Field::inst( 'iss_last_update' ),
            Field::inst( 'iss_assigned' )
        )
        ->process( $_POST )
        ->json();
    

    ;

  • allanallan Posts: 63,516Questions: 1Answers: 10,472 Site admin

    Do you have information telling you what the user should have access to in the SESSION?

    Regards,
    Allan

This discussion has been closed.