Setting User privileges set Editor Datatables

Setting User privileges set Editor Datatables

Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0

Hi ,
Now that my data-tables are almost ready. I have already created a user login portal, where users can login based on Username and Password given

Now, I am trying to set privileges for each user to read/write/ only specific data from database. This is very important for my project as there is some important financial information which only few people can view.

For example:

1) User-1: **can read data from all tables in database.
**2) User-2:
Can only read few columns from each table in database.
3) User-3: can read all data and able to edit some data.

Please provide some ideas how can I proceeded with this as this is extremely important for my project.
Your suggestions will be highly appreciated

This question has accepted answers - jump to:

Answers

  • tangerinetangerine Posts: 2,730Questions: 22Answers: 311

    Does your Users table incorporate access levels?

  • colincolin Posts: 9,558Questions: 0Answers: 1,582

    This thread should help, it's asking the same thing.

    Cheers,

    Colin

  • Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0

    @tangerine can you please elaborate?

    Just to give an idea , for the basic login system, I am reading username and password from data inputted in database and compare it against the user input (POST method).

    Then I am saving the username in SESSION Variable and use it across other tables to give basic access rights , which allows a user to edit or only read from table
    for example sessionId reads the information from current session and if it matches some value which in my case is abc , it will allow to edit the information otherwise no.

        var sessionId = "<?php echo $_SESSION['username']; ?>";
    
    if (sessionId === 'abc') {
        $('#example').on('click', 'tbody tr td', function() {
          editor.inline(this);
        }); 
    
        table.button().add(
          null, { extend: "create", editor: editor }     
        )
    }
    

    I want to extend this to hide columns and check if this is the right way of doing it? Thanks

  • Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0

    @colin
    Thank you.
    I followed the same example. However, I am not able to understand how to logic behind hiding the data (columns) from server-side and then sending the data to client. based on user roles.

    If I am not wrong, if we do it from client side (hide the columns) the data will be still accessible using the developer tool->XHR response.

    Thank you

  • colincolin Posts: 9,558Questions: 0Answers: 1,582

    Yep, the thread I pointed you towards was for the editing aspect - i.e. when to permit the Edit and New buttons to appear.

    To hide specific columns, you're correct, if it's sent, it's visible in the payload. There, you would need to do something like first interrogate the server to see what columns the user would have access to, then when initialising the table, base it upon that information. It would need to be a two step process.

    Colin

  • Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0

    @collin Thank you very much.
    I was able to hide the column data from server-side using:

        if ( $_SESSION['privileges'] === 'abc') {
          $editor->fields(Field::inst( 'admins.first_name' )
            ->get(false)
    
        );
        }
    

    It works perfect. However, when retrieving the data from client side, it shows this message

    Requested unknown parameter 'admins.first_name' for row 0, column 2

    From the client side I tired to fit it in if statement using :

         if ($_SESSION['privileges'] === 'abc') {
    
                table.columns( [ 2 ] ).visible( false, false );
             table.columns.adjust().draw( false ); 
    
            }
    

    This doesn't seem to be working right.

    Can you please give me an idea how can i ignore this error based on dynamically hiding some columns based on $_SESSION['privileges'] variable

  • colincolin Posts: 9,558Questions: 0Answers: 1,582

    That's because you've probably initialised the table for more columns than what you received. My idea above was to query the server before any initialisation, get the columns that can be viewed, and then initialise the table with that information. Hope that makes sense,

    Colin

  • Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0

    @colin
    it does make sense. But irrespective of the query results, for the returned data, wouldn't I need to initialise all the columns anyway? And in that case when the result for any column is set to false , it will still show the same error?

    For user 'abc' it needs to display all column but for user 'def' it needs to hide few. In both cases data table needs to be intilized with all possible columns.

        if ( $_SESSION['privileges'] === 'abc') {
          $editor->fields(Field::inst( 'admins.first_name' )
    
        );
        }
    
        else if ( $_SESSION['privileges'] === 'def') {
          $editor->fields(Field::inst( 'admins.first_name' )
            ->get(false)
            );
    
        }
    

    or is there a way to create columns dynamically?
    I would really appreciate, if you can give me a very simple example?

    Thank you

  • Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0
    edited September 18

    @colin please ignore my previous comment, I am sure it doesn't make much sense, sorry

    **I managed to make it work using below code
    **
    before initialling the table i used (xhr) as this would be called after every ajax load :

    $('#example').on('xhr.dt', function ( e, settings, json, xhr ) {
            var api = new $.fn.dataTable.Api( settings );
    
            var abc = "<?php echo $_SESSION['privileges']; ?>";
    //saving the privileges in A and the comparing 
    
            if (A === 'abc')
            {
                api.columns([2]).visible(false);
    
        }
        });
    
  • colincolin Posts: 9,558Questions: 0Answers: 1,582
    Answer ✓

    Excellent, glad it's all working.

    Colin

  • allanallan Posts: 52,525Questions: 1Answers: 8,020 Site admin

    That would do it - nice one. The downside to this method is that if anyone takes a look at the code on the client-side, they will see that you are just hiding columns that they shouldn't be able to see. While they don't have any data in them, so the damage is minimal, it still does indicate to them that there is more than they can see.

    Typically when doing this kind of thing, I have PHP generate both the HTML and the Javascript for the user's access rights. For example if the general user has access to 4 columns, both the HTML and JS will reflect that. If an admin has access to 6 columns, likewise the HTML and JS will be built for that case.

    I don't think we have an example of that process anywhere, but it would be a good one for a blog post sometime.

    Allan

  • Khalid TeliKhalid Teli Posts: 60Questions: 13Answers: 0

    @colin and @allan
    Thank you. Yes, that is true but as you mentioned, damage is minimal. I would take your suggestion and make php script according to user priviliges.

    Also, with the above method, it is important to note , from server side return the hidden column to null

    if ( $_SESSION['privileges'] === 'abc') {
      $editor->fields(Field::inst( 'admins.first_name' )
        ->getFormatter( function ( $val, $data, $opts ) { return null;}),
    
        );
    

    otherwise , it will display the same error
    Requested unknown parameter 'admins.first_name' for row 0, column 2

    I hope this is the right way to do it.

  • allanallan Posts: 52,525Questions: 1Answers: 8,020 Site admin
    Answer ✓

    Yes, that's a perfectly valid way of doing it.

    Allan

Sign In or Register to comment.