⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Different users login in?



MarkusD
  • profile picture
  • Member

Posted 22 November 2012 - 08:54 AM

Hello,



Would it be possible that the administration panel, where the table and rows are can have access for different users and each user just gets his own table that he can modify?

That is, what we have now is an administration page, a CRUD page where we can upload pictures, write text etc, but only for me. The scenario is that you have a website and you let other people log in, each with their different account and each of them would have access to only their own table with their own data. Of course, all can log at the same time from different places in the world.

I can imagine of course that that would be a matter of session_id, where each user gets his, and with that session_id then the specific data are retrieved for each user, I am imagining all this, but is it really feasible or it would be too difficult to do with CRUD ?


thanks

victor
  • profile picture
  • Member

Posted 22 November 2012 - 10:02 AM

Hi, MarkusD and welcome to the forum!
maybe your solution is here:
/topic/1043-security-concern-about-multiuser-data-in-a-table/

MarkusD
  • profile picture
  • Member

Posted 22 November 2012 - 10:19 AM

[quote name='victor' timestamp='1353578543' post='4371']
Hi, MarkusD and welcome to the forum!
maybe your solution is here:
http://www.grocerycr...ata-in-a-table/
[/quote]

Thank you very much, I will study that!

MarkusD
  • profile picture
  • Member

Posted 24 November 2012 - 08:58 AM

Hello,

I have been studying your code to understand it, but there is something I dont grasp very well.

When a user lands on the page, because the page can already know the name of the User, (you mark it as User = 2) then it goes to a function that makes a query with that ID and returns a list of rows. That is fine. What I dont understand is how you are actually getting the values from the 3rd and 4th segments, because at that point, there are no values in there. There are only 2 segments, controller and function, but not a third segment for edit, or delete and not a fourth segment for id.



var $user = 2;
function pr() {
// validation init
$this->security(); #Before loading any table, we redirect to a function which will select the rows that correspond Only to the User. That is correct and fine.

# Now we have returned from the function and we have our own data to create our table
$crud = new grocery_CRUD();
$crud->set_table('my_files');
$crud->where('user_id', $this->user);
$output = $crud->render();
$this->_example_output($output);
}




function security() {

# but here, I dont see there is any value in the 3rd segment. On arriving there is only the controller and the function, so segments 1 and 2.

# when the user clicks on Edit or Delete or Add, then comes the 3rd segment and it is show in the URL, but only after clicking.
$method = $this->uri->segment(3);
if ($method == "edit" or $method == 'update_validation' or $method == 'delete') {

# Where is the value of a Fourth segment after clicking Edit or Delete? I dont get any in my page.

# You are assuming it would be the ID, but, it does not appear in my URL. I can show it in the page like Welcome John to the Administration Panel.
$id = $this->uri->segment(4);
$result = $this->db->get_where('my_files', array('id' => $id), 1)->row();
if ($result->user_id != $this->user)
{
echo "You don't have access";
exit;
}
else return true;
}
}


So, the question is:


Wouldn't you instead, when the Page is loading, use the $username to retrieve only the table that corresponds to that user? If I correctly understand your code, when the page loads, all the rows of everybody are loaded.

That is, if my understanding is correct, it is much easier to simply do, as you say:


$crud->set_table('my_files');
$crud->where('user_id', $this->user);


what is the reason that you go to do the rest of the code about segments 3 and 4 and etc?

victor
  • profile picture
  • Member

Posted 24 November 2012 - 09:10 AM

This is to ensure that users can not remove, edit
someone else's data, only their.
for example:
http//localhost/controller/method/delete /10 - delete row 10.
http//localhost/controller/method/edit/10 - edit row 10