restrict use of editing

jim54729

I just purchased the editor, by mistake, but I think i might have use for it. if i add this ability to a table, how do i restrict who can use it? I did not see this anywhere. This is for a website with 50 users, but only 10 should have edit abilities. website is using Access for the db.

rf1234

I do this by hiding the buttons for example. To be sure that no updates are being processed on the server you can also set fields to false based on a condition.

Here is an example of the "buttons" section of a table definition:

var yourTable= $('#yourTable).DataTable( {
....
buttons: [
{   extend: "edit",   editor: yourEditor, className: "editorOnly" },
{   extend: "remove",   editor: yourEditor, className: "editorOnly" },
{   extend: "create",   editor: yourEditor, className: "editorOnly" } ......


yourTable.on ('init', function () {
 if ( ! userIsEditor ) {
     yourTable.buttons('.editorOnly').nodes().addClass('hidden');
  } else {
     yourTable.buttons('.editorOnly').nodes().removeClass('hidden');
  }
})

In PHP on the server side you can use events like this to make sure that certain fields aren't being updated for sure

->on('preEdit', function ( $editor, $id, $values ) {   
    if ( ! $_SESSION['userIsEditor']   ) {
       $editor->field('yourField')->set( false );
    }

allan

There is information about this available in the security section of the Editor manual.

Regards,
Allan

rf1234

one update. if you use the code below all fields are not editable any longer. Could be the simplest way to make sure nothing is edited by non-editors. Using these events you don't need to do anything about the individual field definitions.

->on('preCreate', function ( $editor, $id, $values ) {  
    if ( ! $_SESSION['userIsEditor']   ) {
       $editor->field(null)->set( false );
    }
->on('preEdit', function ( $editor, $id, $values ) {  
    if ( ! $_SESSION['userIsEditor']   ) {
       $editor->field(null)->set( false );
    }
->on('preRemove', function ( $editor, $id, $values ) {  
    if ( ! $_SESSION['userIsEditor']   ) {
       $editor->field(null)->set( false );
    }

@allan a 'preSubmit' event for PHP would be handy ... maybe something for the next release?!

allan

A presubmit in the PHP code would just be code that is given before the creation of the Editor instance. In the code example above, rather than using events, I would just use:

Field::inst( ... )
  ->set( $_SESSION['userIsEditor'] ? true : false )

Allan

rf1234

@allan you could do it that way but if you have 20 fields you would need to repeat it 20 times or am I missing something?

Could do my events simpler of course:

->on('preCreate', function ( $editor, $values ) { 
    $editor->field(null)->set( $_SESSION['userIsEditor'] );
} )
->on('preEdit', function ( $editor, $id, $values ) { 
    $editor->field(null)->set( $_SESSION['userIsEditor'] );
} )
->on('preRemove', function ( $editor, $id, $values ) { 
    $editor->field(null)->set( $_SESSION['userIsEditor'] );
} )

I meant "preSubmit" in a different sense: Just an event that combines the 3 events above into one in order to avoid repeating the code. "preDatabaseProcessing" or whatever you want to call it.

allan

I'd probably use a global validation function for that:

Editor::inst( $db, 'table' )
    ->fields( ... )
    ->validator( function ( $editor, $action, $data ) {
        if ( $action !== Editor::ACTION_READ && $_SESSION['read_only'] ) {
            return 'Cannot modify data';
        }
    } )
    ->process( $_POST )
    ->json();

Allan

rf1234

That is definitely the coolest solution on the server side. Thanks Allan. If you combine it with hiding the buttons for non-Editors this should work really well and be safe too.