Related record permissions problems
Archived from the Xataface Users forum.
ururk — Wed Jan 26, 2011 12:10 am
Let’s say I have three tables - people, cars, houses
cars & houses are defined as having a relationship with people (eg, people can have multiple cars, houses) in people/relationships.ini
OWNERS in the system have access to people, cars, but should not have access to houses
ADMINS should have access to all tables
So… I have a table class defined on houses:
- Code: Select all
function getPermissions(&$record){ if ($this->isAdmin()) { return Dataface_PermissionsTool::getRolePermissions('ADMIN'); } return Dataface_PermissionsTool::NO_ACCESS(); }
If I go to the URL (as an OWNER):
- Code: Select all
?-table=houses
I get a permission denied error (correct).
But If I look at a person record, I see a tab for houses, and clicking on the tab allows me to add a related record to the table.
So… is this expected? What could I be doing wrong?
Thanks!
shannah — Wed Jan 26, 2011 12:24 am
The houses relationship will be dictated by the permissions on the person table. There are a number of permissions pertaining to relationships . Eg. Add new , add existing, view related, etc… See the permissions.ini file for a list. You can override per relationship too.
ururk — Wed Jan 26, 2011 12:44 am
shannah wrote:The houses relationship will be dictated by the permissions on the person table. There are a number of permissions pertaining to relationships . Eg. Add new , add existing, view related, etc… See the permissions.ini file for a list. You can override per relationship too.
Got it:
permissions.ini:
- Code: Select all
- `access_houses = Access to house information
[OWNER extends OWNER]
access_houses=0`
And in relationships.ini:
- Code: Select all
[houses] action:label="Houses" action:permission=access_houses house.ID = "$ID"
shannah — Wed Jan 26, 2011 12:51 am
This will hide the tab but it doesn’t cut off the ability to add or remove records from this relationship if the know the urls to access the appropriate forms. You need to revoke the relationship permissions. Check out the xataface permissions.ini file to see which permissions I’m talking about.
shannah — Wed Jan 26, 2011 12:27 pm
I have added some documentation on relationship permissions to the wiki.
http://xataface.com/wiki/Relationship_Permissions
Hopefully this helps a little.