There is a global permission setting you can set for all tables in the conf/ApplicationDelegate.php class. So you can grant a particular user to say all the tables, or block them from all tables in this class. This is accomplished through the function getPermission() in the ApplicationDelegate.php class.
function getPermissions(&$record){
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser(); //grabs the logged in user
if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS(); //if there is no user logged in, then they should not have access to anything.
$role = $user->val('role'); //grab the role of the user. the val function just returns the value of the parameter
if ( !$role ) return Dataface_PermissionsTool::NO_ACCESS(); //if no role, then they should get no permissions
return Dataface_PermissionsTool::getRolePermissions($role); //return the permissions of that role.
}
Now if you want to block them for specific tables, these permission settings are to be set at the delegate class table level. For example,
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
//if user is not set and (no record OR no memberID) and action is new
//give them person to edit. Enter information into the fields
if ( !$user and ( !$record || !$record->val('memberid') ) and @$_GET['-action'] == 'new' ){
return Dataface_PermissionsTool::getRolePermissions('EDIT');
//if there is just no user then they should have no acess
} else if (!$user ) {
return Dataface_PermissionsTool::NO_ACCESS();
//if there is a user, then return the role permissions of that user
} else {
return Dataface_PermissionsTool::getRolePermissions($user->val('role'));
//return PEAR::raiseError('Let the app delegate class handle it', DATAFACE_E_REQUEST_NOT_HANDLED);
}
And if we want even more fine grained, then we can do it was the field level. The field level is a little more tricky thou. To provide permissions for a given field, it must follow this syntax:
function FIELDNAME__permissions(&$record)
The record represents the given record object in question (not 100% how this works...but it could mean a row in the database...but if it is a submission form is the row empty?).
The function body could be:
$auth =& Dataface_AuthenticationTool::getInstance();
$user =& $auth->getLoggedInUser();
if ( !$user or $user->val('role') != 'ADMIN'){
return Dataface_PermissionsTool::NO_ACCESS();
}
Here we are getting the logged in user, and it doesn't exist, or if it does exist, but role is NOT admin, then they should have no access and thus it will not appear in the form.
No comments:
Post a Comment