roles/permissions question

Archived from the Xataface Users forum.

maddin — Thu Jan 18, 2007 10:13 am

hello everybody

I was wondering if it was possible to grant permissions to add/delete and edit records in a table on a role basis (maybe owner?), but only for the records he/she has added. To make it even more complicated i would like to show (view) only records which were added by this user , so that every user only can see his records.

did anybody of you ever try this? could you give me a hint towards the right direction?

cheers
martin

shannah — Fri Jan 19, 2007 12:47 am

Hi Martin,

Good questions. I have been doing this sort of thing pretty regularly in my dataface apps. To have an “owner” role, you would likely need to have a column in your table called “owner” or something like it to keep track of who owns which record.

Then you could do something like:

Code: Select all
function getPermissions(&$record){     $auth =& Dataface_AuthenticationTool::getInstance();     $user =& $auth->getLoggedInUser();     if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();     if ( $user->val("username") == $record->val('owner') ){         return Dataface_PermissionsTool::ALL();     } }

As far as making it so that the user can only see records created by himself, the most effective way, I have found is to sort of cut off the list view from your users, and use relationships instead.

Hence your users table would have relationships defined for all of the things that your users need to see.

-Steve

maddin — Sat Jan 20, 2007 9:01 am

hi steve and thanks for your fast reply..

I tried your code snippet but unfortunately it produces a fatal error after login

shannah — Sat Jan 20, 2007 12:52 pm

Looks like you have to to a check to make sure that $record is not null (if there are no records found then it will be null).

Something like
if ( !isset($record) ) return Dataface_PermissionsTool::ALL();

maddin — Mon Jan 22, 2007 5:21 pm

hi steve
here is what i tried in my ApplicationDelegate.php:

Code: Select all
function getPermissions(&$record){     $auth =& Dataface_AuthenticationTool::getInstance();     $user =& $auth->getLoggedInUser();        if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS(); ////////////////////////////////////////////// // this works of course // $owner = "dave"; // if ( $user->val('UserName') == $owner ){ ////////////////////////////////////////////// if ( !isset($record) ) {     if ( $user->val('UserName') == $record->val('owner') ){        return Dataface_PermissionsTool::ALL();        }    return Dataface_PermissionsTool::ALL();    }   }

at least I now get a nicely formattet Error message eg:
Errors
* Permission to perform action ‘list’ denied.
Requires permission ‘view’ but only granted ‘’

and on top of the site I find these lines:

————-error msg.——————————-
On line 324 of file E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php in function printStackTrace()
On line 341 of file E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php in function namesAsArray()
On line 790 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function namesAsString()
On line 1152 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function handleRequest()
On line 19 of file E:\schlumpp\htdocs\df6.11\cdb\index.php in function display()

Warning: Invalid argument supplied for foreach() in E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php on line 326

Warning: implode() [function.implode]: Bad arguments. in E:\schlumpp\htdocs\df6.11\Dataface\Application.php on line 792
————–end error msg.—————————-

i only have 2 tables : 1. questions and 2. users
the users table is simply the users table from your FacultyOfWidgetry example
and the questions table has a field named “owner” .
the table questions only contains two records and the field “owner”, in both cases is not empty.

thx in advance
martin

shannah — Mon Jan 22, 2007 6:18 pm

it looks like you want to have
if ( isset($record) )
rather than
if ( !isset($record) )

maddin — Mon Jan 22, 2007 6:42 pm

If (isset($record)) is leading to: Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\cdb\conf\ApplicationDelegate.php on line 39

shannah — Tue Jan 23, 2007 12:33 pm

What is on line 39?

isset($record) will not result in that error. That error results when you do something like:
$obj->func();
but $obj is actually null or not an object.

-Steve

maddin — Tue Jan 23, 2007 3:23 pm

line 39 says:
if ( $user->val(‘UserName’) == $record->val(‘owner’)){

the whole function looks like this:
[code]
class conf_ApplicationDelegate {
function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
if ( !isset($record) ) {
if ( $user->val(‘UserName’) == $record->val(‘owner’)){
return Dataface_PermissionsTool::ALL();
}
return Dataface_PermissionsTool::ALL();
}
}
}

shannah — Tue Jan 23, 2007 4:51 pm

Change it to:
class conf_ApplicationDelegate {

function getPermissions(&$record){

$auth =& Dataface_AuthenticationTool::getInstance();

$user =& $auth->getLoggedInUser();

if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();

if ( isset($record) ) {

if ( $user->val(‘UserName’) == $record->val(‘owner’)){

return Dataface_PermissionsTool::ALL();

}

return Dataface_PermissionsTool::ALL();

}

}

}

(Note that I removed the ‘!’ from in front of isset($record))

shannah — Tue Jan 23, 2007 4:53 pm

Also, at the end, have it return no access, so that something is always returned, regardless of whether $record is set or not.

maddin — Wed Jan 24, 2007 9:59 am

hi steve
thanxx for your endurance in helping me with this problem..

this morning I tried to reproduce this error on a blank install of dataface 6.11
here is what I did:
I downloaded the example file of FacultyOf Widgetry-12 (permissions),
executed the sql from that example,
added a owner field to the course table
filled the owner field with adminUser
replaced the old function with the new one from your last post
logged in as adminUser… guess what happened..

Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php on line 38

my problem is that i have no idea how to debug this..
line 38 is the good old: if ( $user->val(‘UserName’) == $record->val(‘owner’)){

can i echo the values of that array ($record->val(‘owner’)) somehow for debugging?
cheers
martin

shannah — Wed Jan 24, 2007 3:04 pm

Hi Martin,

Trying to output the values of $record->val(‘owner’) will do you no good because $record is null.
That is what is causing this error.

The solution to this problem is clear. You must make sure that you don’t call any methods on objects that are null (or aren’t objects). Therefore, you must catch it before it executes line 39 to make sure that $record is not null. There are many ways to do this. One of the ways is described above in a previous post.

Another way would be to just check first thing:

Code: Select all
`if ( !isset($record) ) {
   // we know here that there is no record.. that means that there are no
   // records in the current found set.
   // we still want our admins to be able to create new records in this
   // case so let’s give permissions based on this.
   if ( $user and $user->val(‘role’) == ‘admin’){
       return Dataface_PermissionsTool::ALL();
   } else {
       return Dataface_PermissionsTool::NO_ACCESS();
   }

}`

maddin — Mon Jan 29, 2007 5:05 pm

hi steve
does this make sense to you?

Code: Select all
`class conf_ApplicationDelegate {
function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();

if ( !isset($record) ) {
   // we know here that there is no record.. that means that there are no
   // records in the current found set.
   // we still want our admins to be able to create new records in this
   // case so let’s give permissions based on this.
   if ( $user and $user->val(‘role’) == ‘ADMIN’){
       return Dataface_PermissionsTool::ALL();
   } else {
       return Dataface_PermissionsTool::NO_ACCESS();
   }
// case 2:UserName matches username in owner field in questions  table
if ( isset($record) ) {
if ( $user->val(‘UserName’) == $record->val(‘owner’)){
return Dataface_PermissionsTool::ALL();
}else {
       return Dataface_PermissionsTool::NO_ACCESS();
   }
}
}
}
}`

it gives me a “permission denied” Error

Code: Select all
* Permission to perform action 'list' denied.       Requires permission 'view' but only granted ''.

1.why does it say “but only granted ‘’ “ when I try to log in as admin?
as far as I understand this function,this should happen:
if ( $user and $user->val(‘role’) == ‘ADMIN’){
return Dataface_PermissionsTool::ALL();
2.why are there no records in the currend found set? I definitly know that there are some records with “admin” in the owner field.

I know I am a blockhead at this point , but I tried shifting code in this delegate class (in almost every combination possible) without success. I ended up guessing and trying more or less confused.
Maybe you have answered my questions already, but it’s like to not see the wood for the trees.
So… before I give it up here is my last call for help
cheers
martin

shannah — Tue Jan 30, 2007 2:46 am

What you may want to try here is putting some output in certain places of your function so that you can see which logic path is being followed. (e.g. echo “here now”)

As far as your permission denied error, I suspect that it is not even reaching the if ( $user and $user->val(‘role’) == ‘ADMIN’){
code. Likely isset($record) is true, so your if (!isset($record) ) gets stepped over.

In fact, unless there is a typo in the code you just pasted, it looks like you’re missing a closing brace before if ( isset($record) ) because that if statement falls inside the previous if (!isset($record)) statement - which doesn’t make a lot of sense.

Code: Select all
`class conf_ApplicationDelegate {

    function getPermissions(&$record){
        $app =& Dataface_Application::getInstance();
        $query =& $app->getQuery();
        $auth =& Dataface_AuthenticationTool::getInstance();
        $user =& $app->getLoggedInUser();
       
        // IF user is not logged in, he gets no access
        if (!$user ) return Dataface_PermissionsTool::NO_ACCESS();
       
        // Admins get full access
        if ( $user->val(‘role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

        // Users can edit their own records
        if ( $record and $record->val(‘owner’) == $user->val(‘UserName’) )
            return Dataface_PermissionsTool::ALL();

        // In all other cases, there is NO ACCESS
        return Dataface_PermissionsTool::NO_ACCESS();
       
    }`

The above function does what you indended and it avoids problems with null $records and null $users.

shannah — Tue Jan 23, 2007 4:53 pm

Also, at the end, have it return no access, so that something is always returned, regardless of whether $record is set or not.

maddin — Wed Jan 24, 2007 9:59 am

hi steve
thanxx for your endurance in helping me with this problem..

this morning I tried to reproduce this error on a blank install of dataface 6.11
here is what I did:
I downloaded the example file of FacultyOf Widgetry-12 (permissions),
executed the sql from that example,
added a owner field to the course table
filled the owner field with adminUser
replaced the old function with the new one from your last post
logged in as adminUser… guess what happened..

Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php on line 38

my problem is that i have no idea how to debug this..
line 38 is the good old: if ( $user->val(‘UserName’) == $record->val(‘owner’)){

can i echo the values of that array ($record->val(‘owner’)) somehow for debugging?
cheers
martin

shannah — Wed Jan 24, 2007 3:04 pm

Hi Martin,

Trying to output the values of $record->val(‘owner’) will do you no good because $record is null.
That is what is causing this error.

The solution to this problem is clear. You must make sure that you don’t call any methods on objects that are null (or aren’t objects). Therefore, you must catch it before it executes line 39 to make sure that $record is not null. There are many ways to do this. One of the ways is described above in a previous post.

Another way would be to just check first thing:

Code: Select all
`if ( !isset($record) ) {
   // we know here that there is no record.. that means that there are no
   // records in the current found set.
   // we still want our admins to be able to create new records in this
   // case so let’s give permissions based on this.
   if ( $user and $user->val(‘role’) == ‘admin’){
       return Dataface_PermissionsTool::ALL();
   } else {
       return Dataface_PermissionsTool::NO_ACCESS();
   }

}`

maddin — Mon Jan 29, 2007 5:05 pm

hi steve
does this make sense to you?

Code: Select all
`class conf_ApplicationDelegate {
function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();

if ( !isset($record) ) {
   // we know here that there is no record.. that means that there are no
   // records in the current found set.
   // we still want our admins to be able to create new records in this
   // case so let’s give permissions based on this.
   if ( $user and $user->val(‘role’) == ‘ADMIN’){
       return Dataface_PermissionsTool::ALL();
   } else {
       return Dataface_PermissionsTool::NO_ACCESS();
   }
// case 2:UserName matches username in owner field in questions  table
if ( isset($record) ) {
if ( $user->val(‘UserName’) == $record->val(‘owner’)){
return Dataface_PermissionsTool::ALL();
}else {
       return Dataface_PermissionsTool::NO_ACCESS();
   }
}
}
}
}`

it gives me a “permission denied” Error

Code: Select all
* Permission to perform action 'list' denied.       Requires permission 'view' but only granted ''.

1.why does it say “but only granted ‘’ “ when I try to log in as admin?
as far as I understand this function,this should happen:
if ( $user and $user->val(‘role’) == ‘ADMIN’){
return Dataface_PermissionsTool::ALL();
2.why are there no records in the currend found set? I definitly know that there are some records with “admin” in the owner field.

I know I am a blockhead at this point , but I tried shifting code in this delegate class (in almost every combination possible) without success. I ended up guessing and trying more or less confused.
Maybe you have answered my questions already, but it’s like to not see the wood for the trees.
So… before I give it up here is my last call for help
cheers
martin

shannah — Tue Jan 30, 2007 2:46 am

What you may want to try here is putting some output in certain places of your function so that you can see which logic path is being followed. (e.g. echo “here now”)

As far as your permission denied error, I suspect that it is not even reaching the if ( $user and $user->val(‘role’) == ‘ADMIN’){
code. Likely isset($record) is true, so your if (!isset($record) ) gets stepped over.

In fact, unless there is a typo in the code you just pasted, it looks like you’re missing a closing brace before if ( isset($record) ) because that if statement falls inside the previous if (!isset($record)) statement - which doesn’t make a lot of sense.

Code: Select all
`class conf_ApplicationDelegate {

    function getPermissions(&$record){
        $app =& Dataface_Application::getInstance();
        $query =& $app->getQuery();
        $auth =& Dataface_AuthenticationTool::getInstance();
        $user =& $app->getLoggedInUser();
       
        // IF user is not logged in, he gets no access
        if (!$user ) return Dataface_PermissionsTool::NO_ACCESS();
       
        // Admins get full access
        if ( $user->val(‘role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

        // Users can edit their own records
        if ( $record and $record->val(‘owner’) == $user->val(‘UserName’) )
            return Dataface_PermissionsTool::ALL();

        // In all other cases, there is NO ACCESS
        return Dataface_PermissionsTool::NO_ACCESS();
       
    }`

The above function does what you indended and it avoids problems with null $records and null $users.

maddin — Wed Jan 31, 2007 5:58 am

hi steve
i implemented this function “as is”
and it semms that there is a problem with this line
$user =& $app->getLoggedInUser();

Fatal error: Call to undefined function: getloggedinuser() in /data/mad/haschisch-online.de/www/html/df69/cdb/conf/ApplicationDelegate.php on line 15

this happens either on win and linux
maybe you have an idea

?(?(?(

shannah — Wed Jan 31, 2007 10:33 am

oops.. that should be $auth->getLoggedInUser();

maddin — Thu Feb 01, 2007 10:40 am

hi steve

i changed it to $auth ,but..

Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\cdb\conf\ApplicationDelegate.php on line 33

line 33:
if ( $record and $record->val(‘owner’) == $user->val(‘UserName’) )

spooky isn`t it?

shannah — Thu Feb 01, 2007 1:15 pm

OK.. this is where you need to get your debugging hat on and figure out what is going on. I can give you some tips of where to look, but ultimately you’re gonna have to find this one.

First… you know which line is the culprit and you know what the error is.

Evidently it claims that $record is not an object - but it is also not null!
So add an echo statement just before that line to see what $record is:

e.g.
echo “Record is $record”; exit;

If it turns out to be an array, go:
echo “Record is “; print_r($record);exit;

Do what you have to do to prevent that line from being called if $record is not an object.

maddin — Thu Feb 01, 2007 4:10 pm

Record is Array ( [table] => datenbank )

..if I was the parser, I would approve it
but unfortunately php seems to be more strict

It looks like an object to me…it even looks like the right object and it contains a field ‘owner’, when I understood it right,
that [table] => datenbank is an array of all fields of datenbank

ps: a friend of mine borrowed my debugging hat and never gave it back

shannah — Thu Feb 01, 2007 4:50 pm

Ok.. this is a bit sticky.Ê Record is not an object, it is an array.. there are 2 possibilities for the cause of this.

  1. It is a bug in dataface
  2. Somewhere in your code (anywhere in your application) you have assigned some other value to that particular record..

Here’s what you can do to help diagnose the problem.
In the spot where you are placing your debugging code, add:
echo Dataface_Error::printStackTrace();
An post the output to the forum.Ê Also it would help to know what version of Dataface you are using.
Thanks
Steve

maddin — Fri Feb 02, 2007 8:35 am

hi steve
I am using dataface 6.11 and the FacultyOfWidgetry-12 example (not modified)
,where i extended the course table with a field “owner”. and the ApplicationDelegate.php from your last post. (system: win xampp)

Code: Select all
On line 33 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php in function printStackTrace() On line 1766 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getPermissions(array(Course)) On line 128 of file E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php in function getPermissions(array()) On line 1019 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions(Dataface_Table Object,array()) On line 1024 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions() On line 194 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function checkPermission(view) On line 1354 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getActions(array(Course)) On line 71 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function getActions(array(Course)) On line 84 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function _loadTableActions(Course) On line 699 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getAction(array(Course,list)) On line 1152 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function handleRequest() On line 19 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\index.php in function display() On line 33 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php in function printStackTrace()

the output above is printed out on the screen about 40 times!

Code: Select all
`echo “Record is “; print_r($record);exit;

Record is Array ( [table] => Course )`

the following is the output of the linux server where I am using dataface 6.9 (same setup as the example above)

Code: Select all
On line 33 of file /data/mad/haschisch-online.de/www/html/df69/FacultyOfWidgetry-12/conf/ApplicationDelegate.php in function printstacktrace() On line 1763 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Table.php in function getpermissions(course) On line 128 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/PermissionsTool.php in function getpermissions() On line 960 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function getpermissions(Object,) On line 965 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function getpermissions() On line 194 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/ActionTool.php in function checkpermission(view) On line 1354 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Table.php in function getactions(course) On line 71 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/ActionTool.php in function getactions(course) On line 84 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/ActionTool.php in function _loadtableactions(course) On line 640 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function getaction(course-list) On line 1093 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function handlerequest() On line 19 of file /data/mad/haschisch-online.de/www/html/df69/FacultyOfWidgetry-12/index.php in function display()

cheers
martin

shannah — Fri Feb 02, 2007 10:17 am

This looks like it may be a bug in Dataface (in Dataface table around line 1766).

shannah — Fri Feb 02, 2007 10:23 am

I have added this to the issue tracker and submitted a patched version of Table.php.Ê Let me know how it goes.

http://framework.weblite.ca/development/issue-tracker/141

maddin — Fri Feb 02, 2007 3:44 pm

hi steve
this is the output with the patch:

Code: Select all
`On line 33 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php in function printStackTrace()
On line 1767 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getPermissions(,array(Course))
On line 128 of file E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php in function getPermissions(array())
On line 1019 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions(Dataface_Table Object,array())
On line 1024 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions()
On line 194 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function checkPermission(view)
On line 1354 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getActions(array(Course))
On line 71 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function getActions(array(Course))
On line 84 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function _loadTableActions(Course)
On line 699 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getAction(array(Course,list))
On line 1152 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function handleRequest()
On line 19 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\index.php in function display()

Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php on line 35`

shannah — Thu Feb 01, 2007 4:50 pm

Ok.. this is a bit sticky.Ê Record is not an object, it is an array.. there are 2 possibilities for the cause of this.

  1. It is a bug in dataface
  2. Somewhere in your code (anywhere in your application) you have assigned some other value to that particular record..

Here’s what you can do to help diagnose the problem.
In the spot where you are placing your debugging code, add:
echo Dataface_Error::printStackTrace();
An post the output to the forum.Ê Also it would help to know what version of Dataface you are using.
Thanks
Steve

maddin — Fri Feb 02, 2007 8:35 am

hi steve
I am using dataface 6.11 and the FacultyOfWidgetry-12 example (not modified)
,where i extended the course table with a field “owner”. and the ApplicationDelegate.php from your last post. (system: win xampp)

Code: Select all
On line 33 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php in function printStackTrace() On line 1766 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getPermissions(array(Course)) On line 128 of file E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php in function getPermissions(array()) On line 1019 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions(Dataface_Table Object,array()) On line 1024 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions() On line 194 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function checkPermission(view) On line 1354 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getActions(array(Course)) On line 71 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function getActions(array(Course)) On line 84 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function _loadTableActions(Course) On line 699 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getAction(array(Course,list)) On line 1152 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function handleRequest() On line 19 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\index.php in function display() On line 33 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php in function printStackTrace()

the output above is printed out on the screen about 40 times!

Code: Select all
`echo “Record is “; print_r($record);exit;

Record is Array ( [table] => Course )`

the following is the output of the linux server where I am using dataface 6.9 (same setup as the example above)

Code: Select all
On line 33 of file /data/mad/haschisch-online.de/www/html/df69/FacultyOfWidgetry-12/conf/ApplicationDelegate.php in function printstacktrace() On line 1763 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Table.php in function getpermissions(course) On line 128 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/PermissionsTool.php in function getpermissions() On line 960 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function getpermissions(Object,) On line 965 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function getpermissions() On line 194 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/ActionTool.php in function checkpermission(view) On line 1354 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Table.php in function getactions(course) On line 71 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/ActionTool.php in function getactions(course) On line 84 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/ActionTool.php in function _loadtableactions(course) On line 640 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function getaction(course-list) On line 1093 of file /data/mad/haschisch-online.de/www/html/df69/Dataface/Application.php in function handlerequest() On line 19 of file /data/mad/haschisch-online.de/www/html/df69/FacultyOfWidgetry-12/index.php in function display()

cheers
martin

shannah — Fri Feb 02, 2007 10:17 am

This looks like it may be a bug in Dataface (in Dataface table around line 1766).

shannah — Fri Feb 02, 2007 10:23 am

I have added this to the issue tracker and submitted a patched version of Table.php.Ê Let me know how it goes.

http://framework.weblite.ca/development/issue-tracker/141

maddin — Fri Feb 02, 2007 3:44 pm

hi steve
this is the output with the patch:

Code: Select all
`On line 33 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php in function printStackTrace()
On line 1767 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getPermissions(,array(Course))
On line 128 of file E:\schlumpp\htdocs\df6.11\Dataface\PermissionsTool.php in function getPermissions(array())
On line 1019 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions(Dataface_Table Object,array())
On line 1024 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getPermissions()
On line 194 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function checkPermission(view)
On line 1354 of file E:\schlumpp\htdocs\df6.11\Dataface\Table.php in function getActions(array(Course))
On line 71 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function getActions(array(Course))
On line 84 of file E:\schlumpp\htdocs\df6.11\Dataface\ActionTool.php in function _loadTableActions(Course)
On line 699 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function getAction(array(Course,list))
On line 1152 of file E:\schlumpp\htdocs\df6.11\Dataface\Application.php in function handleRequest()
On line 19 of file E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\index.php in function display()

Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php on line 35`

shannah — Fri Feb 02, 2007 5:01 pm

Excellent.Ê That looks right.Ê Remove the debugging code (i.e. the stack trace).ÊÊ Now, testing to see if record exists should work properly.

-Steve

maddin — Fri Feb 02, 2007 6:14 pm

Fatal error: Call to a member function val() on a non-object in E:\schlumpp\htdocs\df6.11\FacultyOfWidgetry-12\conf\ApplicationDelegate.php on line 35

???

shannah — Sat Feb 03, 2007 1:38 am

If I were you I’d probably be ready to give up Ê Can’t believe it is giving you this much trouble.

That error means:

You are calling a member function on a non-object.

So it is doing something like $record->val() but $record is not an object.

What you have to do is, find out what $record is, and by way of an if statement, prevent that line from being executed unless $record is an object.

You can also use the php is_object() function to test if it is an object, but you shouldn’t need to.Ê Either $record will be null, or it will be an object (in which case you can call the val() method on it without problems).Ê It will be null if no records were found in the current query and it is just checking the permissions on the table in general.Ê Otherwise it will have a reference to the current record object.Ê There should be no in between.

I have about 20 apps all running with permissions methods very similar to the one you are setting up here and they all work ok - so there is light at the end of the tunnel here.

geller — Sat Feb 03, 2007 11:15 am

Hi Guys

I have been following this thread with interest as I am getting the same problems as Martin using a similar application delegate class on my own application. I have kept my nose out until now as I am really not that technical but have been struggling for several weeks to secure my tables.

What I am finding is that using the old Table.php ( on current release before Steve’s patch) is exactly what Martin was finding

from the output of ‘echo “Record is.. “; print_r($record);exit;’
Record is Array ( [table] => table25 )

After applying the patch I guess the output is null or no records?

Record is..

(All my tables have some data in them)

Further back in the thread Steve said that:-

Quote

Ok.. this is a bit sticky. Record is not an object, it is an array.. there are 2 possibilities for the cause of this.

  1. It is a bug in dataface
  2. Somewhere in your code (anywhere in your application) you have assigned some other value to that particular record..

I am not sure if this is relavent but I captured the output from echo “User is “; print_r($user);exit;

Some way through the output is:-

[_tables] => Array ( [table25] => table 1 [table26] => table 2 [table27] => table 3 [table28] => table 4 )

Is this related to Steve’s point number 2. ? Is it the conf.ini assigning another value to the tables?

Probably not but I am clutching at straws…

shannah — Sat Feb 03, 2007 12:18 pm

Can you post your current getPermissions() method that you are using… keeping your debugging code intact and also post the full output so I can take a look.

On another note, I have just posted another tutorial in the documentation section that involves permissions that might be helpful.Ê It comes with source code.

-Steve

geller — Mon Feb 05, 2007 3:00 pm

Steve

As requested using the patched Table.php

function getPermissions(&$record){

// first get the currently logged in user

$auth =& Dataface_AuthenticationTool::getInstance();

$user =& $auth->getLoggedInUser();

// if no user is logged in, then we give no access

if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();

// check if the record is set. If the user performs a search

// that returns an empty set, then this record may be null.

// if ( !isset($record) ) return Dataface_PermissionsTool::READ_ONLY();

// If the logged in user has the same UserID as the restaurant, then

// this user is the owner of the restaurant.. he has full permissions.

echo “Record is .. “; print_r($record);echo Dataface_Error::printStackTrace();exit;

if ( $record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();

// otherwise we give read only access

return Dataface_PermissionsTool::READ_ONLY();
}

Each of the queried tables have a UserID field as does the Users table.

When I leave the ‘if no record’ statement in I just get READ_ONLY access. I guess there is no ‘valid’ record returned for what ever reason but all looks fine from a user perspective.

The output…….

Record is .. On line 43 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/yourrestaurant/datafaceapi/conf/ApplicationDelegate.php in function printstacktrace()
On line 1767 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Table.php in function getpermissions(,array(table9))
On line 128 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/PermissionsTool.php in function getpermissions(array())
On line 1019 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function getpermissions(dataface_table Object,array())
On line 1024 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function getpermissions()
On line 194 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/ActionTool.php in function checkpermission(view)
On line 1354 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Table.php in function getactions(array(table9))
On line 71 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/ActionTool.php in function getactions(array(table9))
On line 84 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/ActionTool.php in function _loadtableactions(table9)
On line 699 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function getaction(array(table9,edit))
On line 1152 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function handlerequest()
On line 14 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/yourrestaurant/datafaceapi/index.php in function display()

Hope this makes sense to you?

Graham

shannah — Mon Feb 05, 2007 3:19 pm

OK. We are interested in 2 pieces of information.
This is what you want to output for debugging:
What is $user
and What is $record

We know from the output above that $record is null (that is correct).
We don’t know what $user is.
You will want to, at some point, do: echo $user.

If $user is an object, then all is well.
If $user is an array, then something is funky.
We know that user is not null because of the line (if !isset($user) )…

So far all that output looks right - like it is working.

-Steve

geller — Mon Feb 05, 2007 4:18 pm

Steve

$user is Object

But still getting :-

Fatal error: Call to a member function on a non-object in /var/www/vhosts/eatout-iom.co.uk/httpdocs/yourrestaurant/datafaceapi/conf/ApplicationDelegate.php on line 45

shannah — Mon Feb 05, 2007 4:43 pm

What is on line 45?

geller — Mon Feb 05, 2007 5:27 pm

if ( $record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();

So if $record is ‘null’ I suppose the above statement cannot be true. I guess it is better than it being an array……. isn’t it?

geller — Mon Feb 05, 2007 3:00 pm

Steve

As requested using the patched Table.php

function getPermissions(&$record){

// first get the currently logged in user

$auth =& Dataface_AuthenticationTool::getInstance();

$user =& $auth->getLoggedInUser();

// if no user is logged in, then we give no access

if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();

// check if the record is set. If the user performs a search

// that returns an empty set, then this record may be null.

// if ( !isset($record) ) return Dataface_PermissionsTool::READ_ONLY();

// If the logged in user has the same UserID as the restaurant, then

// this user is the owner of the restaurant.. he has full permissions.

echo “Record is .. “; print_r($record);echo Dataface_Error::printStackTrace();exit;

if ( $record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();

// otherwise we give read only access

return Dataface_PermissionsTool::READ_ONLY();
}

Each of the queried tables have a UserID field as does the Users table.

When I leave the ‘if no record’ statement in I just get READ_ONLY access. I guess there is no ‘valid’ record returned for what ever reason but all looks fine from a user perspective.

The output…….

Record is .. On line 43 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/yourrestaurant/datafaceapi/conf/ApplicationDelegate.php in function printstacktrace()
On line 1767 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Table.php in function getpermissions(,array(table9))
On line 128 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/PermissionsTool.php in function getpermissions(array())
On line 1019 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function getpermissions(dataface_table Object,array())
On line 1024 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function getpermissions()
On line 194 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/ActionTool.php in function checkpermission(view)
On line 1354 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Table.php in function getactions(array(table9))
On line 71 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/ActionTool.php in function getactions(array(table9))
On line 84 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/ActionTool.php in function _loadtableactions(table9)
On line 699 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function getaction(array(table9,edit))
On line 1152 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/dataface-build/Dataface/Application.php in function handlerequest()
On line 14 of file /var/www/vhosts/eatout-iom.co.uk/httpdocs/yourrestaurant/datafaceapi/index.php in function display()

Hope this makes sense to you?

Graham

shannah — Mon Feb 05, 2007 3:19 pm

OK. We are interested in 2 pieces of information.
This is what you want to output for debugging:
What is $user
and What is $record

We know from the output above that $record is null (that is correct).
We don’t know what $user is.
You will want to, at some point, do: echo $user.

If $user is an object, then all is well.
If $user is an array, then something is funky.
We know that user is not null because of the line (if !isset($user) )…

So far all that output looks right - like it is working.

-Steve

geller — Mon Feb 05, 2007 4:18 pm

Steve

$user is Object

But still getting :-

Fatal error: Call to a member function on a non-object in /var/www/vhosts/eatout-iom.co.uk/httpdocs/yourrestaurant/datafaceapi/conf/ApplicationDelegate.php on line 45

shannah — Mon Feb 05, 2007 4:43 pm

What is on line 45?

geller — Mon Feb 05, 2007 5:27 pm

if ( $record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();

So if $record is ‘null’ I suppose the above statement cannot be true. I guess it is better than it being an array……. isn’t it?

shannah — Tue Feb 06, 2007 3:12 am

So at this point I guess we’ve concluded that:

  1. $user is an object (it is not the culprit of the error)

  2. Therefore $record must be the culprit.

  3. The line if ( !isset($record) ) return Dataface_PermissionsTool::READ_ONLY();Ê ensures that $record is not null.

  4. Perhaps $record is an empty stringÊ (definitely do an echo on $record to find out for sure).

One thing that may get this thing going is to change the line

if ( !isset($record) ) return Dataface_PermissionsTool::READ_ONLY();

to

if ( !$record ) return Dataface_PermissionsTool::READ_ONLY();

geller — Tue Feb 06, 2007 7:06 am

Steve

$record is empty.

This is the bit I can’t get my head around. How can I check if the user owns the record if I can’t query the record that is trying to be edited yet the record is there when you remove the permissions?

if ( !$record ) return Dataface_PermissionsTool::READ_ONLY(); is controlling the permissions so all users only have read only access. Remove any getpermission() and the app works fine apart from there is no user record/owner authentication, which could lead to URL hacking.

shannah — Tue Feb 06, 2007 12:18 pm

OK.. something is wrong.Ê If the record set it not empty, then $record should not be empty - in general.Ê I think something may be gibbled with your install of Dataface.

I have just released 0.6.12 which consolidates all the latest patches.Ê Please try that one.Ê If it still fails, can you tar or zip up your app and send it to me (including SQL readout to create the tables) so that I can take a look and find out what is going on?
Thanks
Steve

shannah — Wed Feb 07, 2007 1:36 pm

Thanks Martin and Graham for pushing this issue.

I have found the problem and fixed it in the new version (0.6.12r1) available for download.

Best regards

Steve

geller — Thu Feb 08, 2007 3:59 pm

Steve

Just one further observation when using this particular getpermissions method is that in list view the delete all records function is no longer available. Is this an unavoidable consequence of the record by record authentication?

Cheers
Graham

shannah — Thu Feb 08, 2007 4:06 pm

the delete all records action is checked against the ‘delete’ permission for a table (as opposed to a record).Ê I.e. when it calls your getPermissions() method, $record will be null.Ê You can add handling for this in your getPermissions() method by returning appropriate users (administrators) ALL privileges even when $record is null.

-Steve

geller — Thu Feb 08, 2007 6:06 pm

Thanks again,got that one sorted.

Cheers
Graham

maxmokeyev — Fri Feb 16, 2007 3:31 am

I would greatly appreciate a detailed instruction on how to implement record-level security.
I want to achieve the following:
When the user logs in, I want the program to check the users ROLE. If it is ADMIN the user gets full access to everything. If it is not ADMIN (say USER) the user gets view/edit access but only to the records that belong to the user. (Whether they belong or not can be checked by comparing any two fields in the USERS table and the MAIN table).
Basically, I read through this thread, and am still a little lost on how to do this.
(I know this might be asking a lot, but I have an Access app that I really want to put on the web, or at least part of it, and the reason for that is the ability to do record level security).

thanks.

shannah — Fri Feb 16, 2007 11:46 am

First place to start would be:

http://framework.weblite.ca/documentation/tutorial/getting_started/permissions

Another tutorial that touches on permissions is here:
http://framework.weblite.ca/documentation/tutorial/submission_forms/permissions
If you translate your english description of permissions to PHP you would have:
1.Ê “I want the program to check the users ROLE. If it is ADMIN the user gets full access to everything.”Ê ::
if ( $user->val(‘role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

  1. “If it is not ADMIN (say USER) the user gets view/edit access but only to the records that belong to the user.”
    if ( $user->val(‘userid’) == $record->val(‘ownerid’) ) return Dataface_PermissionsTool::ALL();
    The only caveats are that you have to handle the cases where $user is null or $record is null - and do this before parts 1 and 2.
    ($user will be null only if the user is not logged in.Ê $record is null if we are checking table level permissions or if no record was found).
    if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
    if ( !isset($record) ){
    ÊÊÊÊ // Actually you’ll probably want to have separate cases in here for admins and regular users because you still need to give admins full access in this case.
    }
    Note:** I decided to give instructions that didn’t involve a cut and paste snippet in this response because I think it will really help to understand how it works rather than just blindly cuting and pasting.
    Hope this helps a little.
    Best regards
    Steve

maxmokeyev — Mon Feb 19, 2007 9:00 am

So I tried following the logic you laid out (Thank you.)
Here is what I have:

function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
// if the user is null then nobody is logged in… no access.
// This will force a login prompt.
if (!isset($record)) {
if ($user->val(‘Role’)!=’ADMIN’)return Dataface_PermissionsTool::NO_ACCESS();
if ($user->val(‘Role’)==’ADMIN’) return Dataface_PermissionsTool::ALL();
}
if ($user->val(‘Role’)==’ADMIN’) return Dataface_PermissionsTool::ALL();
//If role is ADMIN the user gets full access to everything
if ($user->val(‘FullName’) == $record->val(‘Agent’)) return Dataface_PermissionTool::ALL();
// If not admin give access only to own records
}

However, it always thinks that $record is always NULL as it never gets to the last two IFs. If I comment out the “if(!isset($record))” part, I get the following error:

Fatal error: Call to a member function val() on a non-object in C:\Program Files\vtigercrm5\apache\htdocs\vtigerCRM\contacts\conf\ApplicationDelegate.php on line 27

Line 27 is: if ($user->val(‘FullName’) == $record->val(‘Agent’)) return Dataface_PermissionTool::ALL();

If, with those lines commented out, I log in as ADMIN, I get full access.

Thanks.

shannah — Thu Feb 08, 2007 4:06 pm

the delete all records action is checked against the ‘delete’ permission for a table (as opposed to a record).Ê I.e. when it calls your getPermissions() method, $record will be null.Ê You can add handling for this in your getPermissions() method by returning appropriate users (administrators) ALL privileges even when $record is null.

-Steve

geller — Thu Feb 08, 2007 6:06 pm

Thanks again,got that one sorted.

Cheers
Graham

maxmokeyev — Fri Feb 16, 2007 3:31 am

I would greatly appreciate a detailed instruction on how to implement record-level security.
I want to achieve the following:
When the user logs in, I want the program to check the users ROLE. If it is ADMIN the user gets full access to everything. If it is not ADMIN (say USER) the user gets view/edit access but only to the records that belong to the user. (Whether they belong or not can be checked by comparing any two fields in the USERS table and the MAIN table).
Basically, I read through this thread, and am still a little lost on how to do this.
(I know this might be asking a lot, but I have an Access app that I really want to put on the web, or at least part of it, and the reason for that is the ability to do record level security).

thanks.

shannah — Fri Feb 16, 2007 11:46 am

First place to start would be:

http://framework.weblite.ca/documentation/tutorial/getting_started/permissions

Another tutorial that touches on permissions is here:
http://framework.weblite.ca/documentation/tutorial/submission_forms/permissions
If you translate your english description of permissions to PHP you would have:
1.Ê “I want the program to check the users ROLE. If it is ADMIN the user gets full access to everything.”Ê ::
if ( $user->val(‘role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

  1. “If it is not ADMIN (say USER) the user gets view/edit access but only to the records that belong to the user.”
    if ( $user->val(‘userid’) == $record->val(‘ownerid’) ) return Dataface_PermissionsTool::ALL();
    The only caveats are that you have to handle the cases where $user is null or $record is null - and do this before parts 1 and 2.
    ($user will be null only if the user is not logged in.Ê $record is null if we are checking table level permissions or if no record was found).
    if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
    if ( !isset($record) ){
    ÊÊÊÊ // Actually you’ll probably want to have separate cases in here for admins and regular users because you still need to give admins full access in this case.
    }
    Note:** I decided to give instructions that didn’t involve a cut and paste snippet in this response because I think it will really help to understand how it works rather than just blindly cuting and pasting.
    Hope this helps a little.
    Best regards
    Steve

maxmokeyev — Mon Feb 19, 2007 9:00 am

So I tried following the logic you laid out (Thank you.)
Here is what I have:

function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
// if the user is null then nobody is logged in… no access.
// This will force a login prompt.
if (!isset($record)) {
if ($user->val(‘Role’)!=’ADMIN’)return Dataface_PermissionsTool::NO_ACCESS();
if ($user->val(‘Role’)==’ADMIN’) return Dataface_PermissionsTool::ALL();
}
if ($user->val(‘Role’)==’ADMIN’) return Dataface_PermissionsTool::ALL();
//If role is ADMIN the user gets full access to everything
if ($user->val(‘FullName’) == $record->val(‘Agent’)) return Dataface_PermissionTool::ALL();
// If not admin give access only to own records
}

However, it always thinks that $record is always NULL as it never gets to the last two IFs. If I comment out the “if(!isset($record))” part, I get the following error:

Fatal error: Call to a member function val() on a non-object in C:\Program Files\vtigercrm5\apache\htdocs\vtigerCRM\contacts\conf\ApplicationDelegate.php on line 27

Line 27 is: if ($user->val(‘FullName’) == $record->val(‘Agent’)) return Dataface_PermissionTool::ALL();

If, with those lines commented out, I log in as ADMIN, I get full access.

Thanks.

shannah — Mon Feb 19, 2007 11:53 am

What version of Dataface are you using?

maxmokeyev — Mon Feb 19, 2007 12:42 pm

0.6.13r4

shannah — Mon Feb 19, 2007 1:03 pm

Circumstances where $record should be null:

  1. Dataface is checking permissions for the whole table. (Many of the actions along the top bar have associated calls to getPermissions with a null record).

  2. If the result set is empty (i.e. it says no records matched your request).

Your getPermissions method will be called several times per page load to check permissions on different things. Many times $record will be null, but if there are any records in the found set, there should be at least a few calls where $record is not null.

If you are sure that $record is always null and it should not be, then this is very strange indeed.

maxmokeyev — Mon Feb 19, 2007 1:23 pm

Well, I am not sure that it is, but that’s what it seems like it. If I log in as admin, I get full access, if I log in as not admin, I get No Access. But there are definately records returned. (One thing, I am using a view instead of a table, but I don’t see how that would change anyhting).

The other issue, is that the last “if” statement come back with an error. And I can’t figure out why.

maxmokeyev — Mon Feb 19, 2007 1:58 pm

I changed the line for non-admin users to have read only access if the record is null. When I log in as a regular user, I see all the records with “NO ACCESS” in all the fields. Only the ones that belong to the user (after filtering) show me the information and allow to edit it. (still cannot add records though).
When I click on the on of the “NO ACCESS” records. I get the following:
“On line 324 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\PermissionsTool.php in function printStackTrace()
On line 341 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\PermissionsTool.php in function namesAsArray()
On line 794 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\Application.php in function namesAsString()
On line 1161 of file C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\Application.php in function handleRequest()
On line 5 of file C:\Program Files\apache\htdocs\vtigerCRM\contacts\index.php in function display()

Warning: Invalid argument supplied for foreach() in C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\PermissionsTool.php on line 326

Warning: implode() [function.implode]: Bad arguments. in C:\Program Files\apache\htdocs\vtigerCRM\DataFace\Dataface\Application.php on line 796”

And then the regular screen with

Errors

* Permission to perform action ‘view’ denied.
Requires permission ‘view’ but only granted ‘’.

shannah — Mon Feb 19, 2007 2:50 pm

One thing to be sure of is that your getPermissions method always returns something.
I.e. add a line at the end of your getPermissionsMethod to catch all other cases:
return Dataface_PermissionsTool::NO_ACCESS();

Another thing:
To avoid the list view from showing you all the records that you cannot access, you can use security filters. http://framework.weblite.ca/documentation/how-to/security_filters

Best regards

Steve

maxmokeyev — Wed Feb 21, 2007 4:07 am

Thanks for your help. Will keep playing with it to see if I can get the results I need.

geller — Wed Feb 21, 2007 5:37 pm

Can you give me a pointer as to why with my getPermissionsMethod I cannot insert new records!

I have narrowed it down to the ‘ return’ ‘READ_ONLY’ part of the statement in the following line

if ( $record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();
// otherwise we give read only access
return Dataface_PermissionsTool::READ_ONLY();

not sure how to get round this?

shannah — Thu Feb 22, 2007 2:10 pm

Check out the example in the submission form tutorial (http://framework.weblite.ca/documentation/tutorial/submission_forms/permissions).

It shows you how to test for certain actions (e.g. -new : inserting new records) to provide special permissions in those cases.

-Steve

geller — Sun Feb 25, 2007 4:13 pm

I have added the following statement:-

if ( $query[‘-action’] == ‘new’ && $record->val(‘UserID’) == $user->val(‘UserID’))
return Dataface_PermissionsTool::ALL();

And tested for $record->val(‘UserID’) and $user->val(‘UserID’) when inserting a record.I am still only getting read only permission suggesting the above statement is false?

Yet if I change the return action (just for arguments sake) to NO_ACCESS then the above statement appears to be true as I get permission denied?

function getPermissions(&$record){
// first get the currently logged in user
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
$app =& Dataface_Application::getInstance();
$query =& $app->getQuery();
// if no user is logged in, then we give no access
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
//echo $user->val(‘Role’); exit;

// Allows delete all function
if (is_null($record) && $user->val(‘Role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

// insert new record stuff

//echo $user->val(‘UserID’);
//echo $record->val(‘UserID’);

if ( $query[‘-action’] == ‘new’ && $record->val(‘UserID’) == $user->val(‘UserID’))
return Dataface_PermissionsTool::ALL();

if ( !($record)) {
return Dataface_PermissionsTool::READ_ONLY();
}

// If the logged in user has the same UserID as the restaurant, then
// this user is the owner of the restaurant.. he has full permissions.
if ($record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();
// otherwise we give read only access

return Dataface_PermissionsTool::READ_ONLY();
}

Graham

shannah — Mon Feb 19, 2007 2:50 pm

One thing to be sure of is that your getPermissions method always returns something.
I.e. add a line at the end of your getPermissionsMethod to catch all other cases:
return Dataface_PermissionsTool::NO_ACCESS();

Another thing:
To avoid the list view from showing you all the records that you cannot access, you can use security filters. http://framework.weblite.ca/documentation/how-to/security_filters

Best regards

Steve

maxmokeyev — Wed Feb 21, 2007 4:07 am

Thanks for your help. Will keep playing with it to see if I can get the results I need.

geller — Wed Feb 21, 2007 5:37 pm

Can you give me a pointer as to why with my getPermissionsMethod I cannot insert new records!

I have narrowed it down to the ‘ return’ ‘READ_ONLY’ part of the statement in the following line

if ( $record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();
// otherwise we give read only access
return Dataface_PermissionsTool::READ_ONLY();

not sure how to get round this?

shannah — Thu Feb 22, 2007 2:10 pm

Check out the example in the submission form tutorial (http://framework.weblite.ca/documentation/tutorial/submission_forms/permissions).

It shows you how to test for certain actions (e.g. -new : inserting new records) to provide special permissions in those cases.

-Steve

geller — Sun Feb 25, 2007 4:13 pm

I have added the following statement:-

if ( $query[‘-action’] == ‘new’ && $record->val(‘UserID’) == $user->val(‘UserID’))
return Dataface_PermissionsTool::ALL();

And tested for $record->val(‘UserID’) and $user->val(‘UserID’) when inserting a record.I am still only getting read only permission suggesting the above statement is false?

Yet if I change the return action (just for arguments sake) to NO_ACCESS then the above statement appears to be true as I get permission denied?

function getPermissions(&$record){
// first get the currently logged in user
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
$app =& Dataface_Application::getInstance();
$query =& $app->getQuery();
// if no user is logged in, then we give no access
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
//echo $user->val(‘Role’); exit;

// Allows delete all function
if (is_null($record) && $user->val(‘Role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

// insert new record stuff

//echo $user->val(‘UserID’);
//echo $record->val(‘UserID’);

if ( $query[‘-action’] == ‘new’ && $record->val(‘UserID’) == $user->val(‘UserID’))
return Dataface_PermissionsTool::ALL();

if ( !($record)) {
return Dataface_PermissionsTool::READ_ONLY();
}

// If the logged in user has the same UserID as the restaurant, then
// this user is the owner of the restaurant.. he has full permissions.
if ($record->val(‘UserID’) == $user->val(‘UserID’) ) return Dataface_PermissionsTool::ALL();
// otherwise we give read only access

return Dataface_PermissionsTool::READ_ONLY();
}

Graham

shannah — Tue Feb 27, 2007 1:00 pm

The problem you’re experiencing is due to the fact that if you are inserting a new record, you won’t be interested in the value of $record, because you’re inserting a record and hence the record you are working on doesn’t yet exist. Realistically $record should be null when inserting a new record, but I think that it is actually giving you the first record in the result set. Best to just ignore it in this case as it won’t be giving you what you want.

Best regards

Steve

sworden — Thu Mar 22, 2012 11:21 am

What is the easiest way to alter this code from a previous post.

shannah wrote:What you may want to try here is putting some output in certain places of your function so that you can see which logic path is being followed. (e.g. echo “here now”)

As far as your permission denied error, I suspect that it is not even reaching the if ( $user and $user->val(‘role’) == ‘ADMIN’){
code. Likely isset($record) is true, so your if (!isset($record) ) gets stepped over.

In fact, unless there is a typo in the code you just pasted, it looks like you’re missing a closing brace before if ( isset($record) ) because that if statement falls inside the previous if (!isset($record)) statement - which doesn’t make a lot of sense.

Code: Select all
`class conf_ApplicationDelegate {

    function getPermissions(&$record){
        $app =& Dataface_Application::getInstance();
        $query =& $app->getQuery();
        $auth =& Dataface_AuthenticationTool::getInstance();
        $user =& $app->getLoggedInUser();
       
        // IF user is not logged in, he gets no access
        if (!$user ) return Dataface_PermissionsTool::NO_ACCESS();
       
        // Admins get full access
        if ( $user->val(‘role’) == ‘ADMIN’ ) return Dataface_PermissionsTool::ALL();

        // Users can edit their own records
        if ( $record and $record->val(‘owner’) == $user->val(‘UserName’) )
            return Dataface_PermissionsTool::ALL();

        // In all other cases, there is NO ACCESS
        return Dataface_PermissionsTool::NO_ACCESS();
       
    }`

The above function does what you indended and it avoids problems with null $records and null $users.

to do the following:
In my database I have admins, mentors, and students. Currently, the admins have the ADMIN role, mentors have the EDIT role, and students have the READ-ONLY role. I would like the mentors to be able to view, add, and edit records for students that they are mentoring, but only view records for students they are not mentoring. Currently, this relationship is defined in the “applicants” table where the “mentor_id” field is a foreign key.

I think this code is close to what I want to do, but not quite there.