[Wibi]

Hi,
I have question about security for editing/deleting data in a table.
For example, I have table with name [b]my_files[/b] with field:

id	 user_id    my_file

1	 100		 abc

2	 100		 def

3	 105		 cde

when user logged in as userid 100, I can simply display filtered data my_files table to user with code,:

function myfunction(){

	 .......

	 $crud->set_table('my_files');

	 $crud->where('user_id',$this->session->userdata("loginuserid"));

	 ......

}

Unfortunately $crud->where only work for list, not for update/delete
When it is about update/delete record, other user still can see/update/delete others user data.
For example, when I logged in with user_id: 105, I can edit/delete data in table my_files for id 1 (owned by user 100) by accessing url:

www.mydomain...../memberarea/myfunction/edit/1 or www.mydomain...../memberarea/myfunction/delete/1

Is there any simillar features like $crud->where command that I can use for securing edit/delete data

eg. $crud->where_delete('user_id',$this->session->userdata("loginuserid"));

so when url www.mydomain...../memberarea/myfunction/delete/1 called, it will execute

delete from 'my_files' where `id`='1' and `user_id`='105'

instead of

delete from 'my_files' where `id`='1'

Also for updating record, it will not show the edit form when additional where condition not meet.

any idea?

[victor]

Hi, Wibi and welcom to the forum! There is a solution, but I'm busy now. I can help you later.

[victor]

This is a simplified version of function, but it works.

var $user = 2;



function pr() {



// validation init

$this->security();

$crud = new grocery_CRUD();

$crud->set_table('my_files');

$crud->where('user_id', $this->user);

$output = $crud->render();

$this->_example_output($output);

}



function security() {

    $method = $this->uri->segment(3);



    if ($method == "edit" or $method == 'update_validation' or $method == 'delete') {

           $id = $this->uri->segment(4);

           $result = $this->db->get_where('my_files', array('id' => $id), 1)->row();

           if ($result->user_id != $this->user)

           {

               echo "You don't have access";

               exit;

           }

          else return true;

     }

}

[Wibi]

Hi victor,
Thanks a lot for your reply, after read more about documentation and found $crud->set_model, actually I already have an idea to extend grocery_CRUD_model for solution.

class my_grocery_CRUD_Model extends grocery_CRUD_Model {

     private $whereupdate = null;

      private $wheredelete = null;

    

     private function _rebuild_where($primary_key_value,$additional_where){

        $primary_key_field = $this->get_primary_key();

        if($additional_where != null){

            $arr_where=$additional_where;

            $arr_where[$primary_key_field]=$primary_key_value;

        }else{

            $arr_where=array( $primary_key_field => $primary_key_value);

        }

        return $arr_where;

     }

    

     function where_update($key,$val){ // for update

         $this->whereupdate[$key]=$val;

     }

    

     function where_delete($key,$val){ // for delete

         $this->wheredelete[$key]=$val;

     }

    

     function where_ext($key,$val){ // for update and delete

         $this->whereupdate[$key]=$val;

         $this->wheredelete[$key]=$val;

     }

    

     function get_edit_values($primary_key_value){

        $where=$this->_rebuild_where($primary_key_value,$this->whereupdate);

        $this->db->where($where);    

        $result = $this->db->get($this->table_name)->row();

        return $result;

    }

    

    function db_update($post_array, $primary_key_value){

        $where=$this->_rebuild_where($primary_key_value,$this->whereupdate);

        return $this->db->update($this->table_name,$post_array, $where);

    }

    

    function db_delete($primary_key_value){

        $primary_key_field = $this->get_primary_key();

        if($primary_key_field === false)

            return false;



        $where=$this->_rebuild_where($primary_key_value,$this->whereupdate);

        $this->db->limit(1);

        $this->db->delete($this->table_name,$where);

        if( $this->db->affected_rows() != 1)

            return false;

        else

            return true;

    }

}

and in my controller script :

function myfunction(){

.....

$crud = new grocery_CRUD();

$crud->set_model('my_grocery_CRUD_model');

$crud->set_table('my_files');

$crud->where('user_id',$this->session->userdata("loginuserid"));

$crud->basic_model->where_ext('siteid',$this->session->userdata("loginuserid"));

.....

}

But it seems your code is more clean and efective . thanks a lot