Accessing records based upon username login

Archived from the Xataface Users forum.

sworden — Thu Feb 16, 2012 9:17 am

I have set up my database and am trying to figure out how to allow access to records in tables based upon the username used when logging in. For example, my login is an admin, so I can see and edit everything. I would like to be able to set it up so that when a student logs in he can see records that pertain to him/her, but no one else. I would also like the student to be able to view anything that pertains to him, but he would only be able to edit his contact info.

Also, I would like to set it up so that an instructor can see info for all students, but can only edit/input info for a student that he is mentoring. How do I accomplish these goals?

---

samhans — Thu Feb 16, 2012 12:27 pm

its easy define security filter in your table delegate class . for that you have to make ownerid column in your table.
you have asked lot many questions , segregate it so that it could be replied easily.

samhans

---

sworden — Thu Feb 16, 2012 1:31 pm

Yes, it is a lot of questions, but in retrospect they all appear to center around “how do I set up a security filter?”. I think I can start to figure out the rest.

---

samhans — Fri Feb 17, 2012 12:04 pm

security filters can brower set up by declaring function either in table delegate class. or you can also specify it by application delegate class.

there is a tutorial in wiki to set security filters.
if you face Any problem after that then come back.

samhans

---

sworden — Wed Mar 14, 2012 10:38 am

OK, when using this function:

function getPreferences(){
$mytable =& Dataface_Table::loadTable(‘applicants’) ; // load the table named ‘applicants’
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( $user and $user->val(‘rol’) != ‘ADMIN’ ){
// We apply the security filter to non admin users.
$mytable->setSecurityFilter(array(‘owner_id’=>$user->val(‘user_id’));

}
return array(); // Mandatory!! getPreferences() must return array.
}

where do the owner_id and user_id values come from? The table I’m restricting access to, or the table that stores the log-in information? I have a “username” field in the “users” table (the table that stores log-in usernames and passwords) and an “applicants_id” field in the “applicants” table which is the unique identifier for that table.

Thanks.

---

samhans — Wed Mar 14, 2012 10:51 am

owner id should be a field in your table in which you are restricting access.

---

sworden — Wed Mar 14, 2012 11:07 am

Thanks. Where does “user_id” come from?

---

shannah — Wed Mar 14, 2012 11:12 am

In your case, the owner_id field is in the table you’re restricting access to and the user_id field is from the users table.

-Steve

---

sworden — Wed Mar 14, 2012 11:39 am

shannah wrote:In your case, the owner_id field is in the table you’re restricting access to and the user_id field is from the users table.

-Steve

When I set them up this way (or any other combination that I’ve tried) I try to log-in and once I’ve input my username and password it looks like the log-in sequence hangs up on the index.php file (I just get a blank screen and the url says “http://www.povpc.org/cpm/index.php”). This happens whether I log-in with my admin account or a read-only account that I set up to test this. Right now I have the “username” field in the “users” table and the “applicants_id” field in the “applicants” table. Do I need to have both fields in the same record in one of these tables? Is that why I’m getting the blank screen?

Here is how I set up the function:

function getPreferences(){
$mytable =& Dataface_Table::loadTable(‘applicants’) ; // load the table named ‘applicants’
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( $user and $user->val(‘rol’) != ‘ADMIN’ ){
// We apply the security filter to non admin users.
$mytable->setSecurityFilter(array(‘applicants_id’=>$user->val(‘username’));

}
return array(); // Mandatory!! getPreferences() must return array.
}

---

sworden — Thu Mar 15, 2012 7:03 am

I changed the table I’m restricting to the “transcripts” table so that I could at least get logged in (and changed “applicants” in the function to “transcripts” after I made a transcripts.php file in the “transcripts” folder). This is what shows up in the url when I click on the transcripts tab:

http://www.povpc.org/cpm/index.php?-table=transcripts

and the screen is blank.

Something doesn’t appear to be loading correctly. Any ideas?

---

shannah — Thu Mar 15, 2012 8:39 am

Check your error log

---

sworden — Thu Mar 15, 2012 9:21 am

The error log is saying it doesn’t like the ; in the line “$mytable->setSecurityFilter(array(‘APPLICANTS_ID’=>$user->val(‘USERNAME’));”

function getPreferences(){
$mytable =& Dataface_Table::loadTable(‘transcripts’) ; // load the table named ‘transcripts’
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( $user and $user->val(‘ROLE’) != ‘ADMIN’ ){
// We apply the security filter to non admin users.
$mytable->setSecurityFilter(array(‘APPLICANTS_ID’=>$user->val(‘USERNAME’));

}
return array(); // Mandatory!! getPreferences() must return array.
}

I tried taking it out just to see what would happen. Then it doesn’t like the } that follows. These seem to be standard programming text, so what could be causing the problem?

Thanks for your help. I’m very new to PHP.

---

shannah — Thu Mar 15, 2012 9:42 am

Count the open parentheses and closing parentheses. You’re missing a closing parenthesis.

---

sworden — Thu Mar 15, 2012 10:00 am

Thanks! Now that I’ve got that fixed I’m getting a fatal error:

[15-Mar-2012 09:47:09] PHP Fatal error: Class ‘tables_transcripts’ not found in /home/povpc11/public_html/xataface/Dataface/Table.php on line 1116

From the Table.php file (the last line is line 1116):

function _loadDelegate(){

if ( $this->_hasDelegateFile() ){

import( $this->_delegateFilePath() );
$delegate_name = “tables_”.$this->tablename;
$this->_delegate = new $delegate_name();

---

samhans — Thu Mar 15, 2012 10:10 am

have you defined the table class properly, check it again. you might have given wrong name to the class file

---

shannah — Thu Mar 15, 2012 8:39 am

Check your error log

---

sworden — Thu Mar 15, 2012 9:21 am

The error log is saying it doesn’t like the ; in the line “$mytable->setSecurityFilter(array(‘APPLICANTS_ID’=>$user->val(‘USERNAME’));”

function getPreferences(){
$mytable =& Dataface_Table::loadTable(‘transcripts’) ; // load the table named ‘transcripts’
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( $user and $user->val(‘ROLE’) != ‘ADMIN’ ){
// We apply the security filter to non admin users.
$mytable->setSecurityFilter(array(‘APPLICANTS_ID’=>$user->val(‘USERNAME’));

}
return array(); // Mandatory!! getPreferences() must return array.
}

I tried taking it out just to see what would happen. Then it doesn’t like the } that follows. These seem to be standard programming text, so what could be causing the problem?

Thanks for your help. I’m very new to PHP.

---

shannah — Thu Mar 15, 2012 9:42 am

Count the open parentheses and closing parentheses. You’re missing a closing parenthesis.

---

sworden — Thu Mar 15, 2012 10:00 am

Thanks! Now that I’ve got that fixed I’m getting a fatal error:

[15-Mar-2012 09:47:09] PHP Fatal error: Class ‘tables_transcripts’ not found in /home/povpc11/public_html/xataface/Dataface/Table.php on line 1116

From the Table.php file (the last line is line 1116):

function _loadDelegate(){

if ( $this->_hasDelegateFile() ){

import( $this->_delegateFilePath() );
$delegate_name = “tables_”.$this->tablename;
$this->_delegate = new $delegate_name();

---

samhans — Thu Mar 15, 2012 10:10 am

have you defined the table class properly, check it again. you might have given wrong name to the class file

---

sworden — Thu Mar 15, 2012 11:57 am

Thanks so much! Between your help and this link: http://xataface.com/forum/viewtopic.php?t=4062#20406 I got it to work.

---

sworden — Thu Mar 15, 2012 2:52 pm

Everything was working great. I had logged in as both my admin account and a read-only account and everything was loading the way it was supposed to. Then I left the browser window open while I did some unrelated stuff to our main webpage (.css updates). Before I left for the day I went to look through the tables one last time and got the blank screen again on every table that I tried. I checked the error log and got this:

[15-Mar-2012 14:32:43] PHP Warning: ini_set() has been disabled for security reasons in /home/povpc11/public_html/xataface/config.inc.php on line 36
[15-Mar-2012 14:32:43] PHP Warning: ini_set() has been disabled for security reasons in /home/povpc11/public_html/xataface/config.inc.php on line 216
[15-Mar-2012 14:32:43] PHP Warning: require_once(I18Nv2/I18Nv2.php) [function.require-once]: failed to open stream: No such file or directory in /home/povpc11/public_html/xataface/config.inc.php on line 246
[15-Mar-2012 14:32:43] PHP Fatal error: require_once() [function.require]: Failed opening required ‘I18Nv2/I18Nv2.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/povpc11/public_html/xataface/config.inc.php on line 246

I hadn’t changed anything since getting it to work successfully. What happened?

This is the section where line 36 is (the last line):
//Make sure when reading file data,
//PHP doesn’t “magically” mangle backslashes!
//set_magic_quotes_runtime(FALSE);
ini_set(‘magic_quotes_runtimg’, false);

This is the section where line 216 is (again, last line):
if ( $curr_dir_first ){
$include_path = “.”.PATH_SEPARATOR.$include_path;
}

ini_set(‘include_path’, $include_path );

Line 246 (second to last line):
//$class = str_replace(‘/’,’_’, $file);
//$class = substr($class, 0, strpos($class,’.’));
if ( !isset($imports[$file]) ){
$imports[$file] = true;
//error_log(“importing “.$file);
require_once $file;
}

---

sworden — Mon Mar 19, 2012 9:51 am

I believe I have defined them correctly. I haven’t defined table classes for each table because some of them are essentially just lookup tables for other tables. But for each table that does have data for each particular student, I defined for each .php table (in this example “applicants.php”) in the first line:

class tables_applicants {

followed by (this is the same for every table):

function init(&$table){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
$role = $user->val(‘ROLE’);
switch ($role){
case ‘ADMIN’:
return Dataface_PermissionsTool::ALL();
default:
$table->setSecurityFilter(array(‘APPLICANTS_ID’=>$user->val(‘APPLICANTS_ID’)));
}
}

}

The odd thing is, I set all this up using my admin account. Then I logged off and logged back in using a read-only account and every table was showing only the records it was supposed to for that student. When I came back later (I hadn’t logged out) and tried to switch to another table, I got the blank screen and those security warnings I in my previous post.