⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

how can I limit action for each user ?

Started by , 27 February 2012 - 19:29 PM


ali_fattahi
  • profile picture
  • Member

Posted 27 February 2012 - 19:29 PM

Hello Again!
I have a multiuser cms and i limited the lists with user_id , but it has a security problem and any user can edit or delete records without checking the user_id
for example :
I Have a category table that have

id user_id cat_name

and when I will show data to grids I limited result of list with user_id , but the actions like delete o edit is allowed for that records that not in list or not for this user_id :D

there is any way to solve this problem ?

Thanks
Ali

web-johnny
  • profile picture
  • Administrator
  • 1,166 posts

Posted 27 February 2012 - 19:50 PM

You can use the callback_before_delete (it is similar with callback_escape_delete that you can see at: http://www.grocerycrud.com/documentation/options_functions/callback_escape_delete ) and check the user_id and if it is not allow to delete it so just return false and it will have an error in the page without running of course the query.

ali_fattahi
  • profile picture
  • Member

Posted 27 February 2012 - 20:36 PM

i tested you solution , it doesn't show any error . there is any way to prevent to show edit page for that users or redirect that useres to a url ?
here is my code :

function    test()

    {

            

            $crud = new grocery_CRUD();

            $crud->set_theme('datatables');

            $crud->set_subject('دسته جدید');

            $crud->set_table('blog_category');

            $crud->where('user_id',$this->user_id);

            $crud->set_rules('name','نام دسته','encode_php_tags');

            $crud->edit_fields('name','user_id');

            $crud->add_fields('name','user_id');

            $crud->change_field_type('user_id', 'invisible');

            $crud->columns('name');

            $crud->display_as('name','نام دسته');

            $crud->callback_before_insert(array($this,'clear'));        

            $crud->callback_before_update(array($this,'check_user'));        

            $output = $crud->render();



            $this->_example_output($output);



    }

    function clear($post_array=array(), $key = null)

    {

        //$post_array['name'] = $this->db->escape_str($this->security->xss_clean($post_array['name']));

	    $post_array['user_id'] = $this->user_id;

        $post_array['parent_id']='1';

	    return $post_array;

    }

    function    check_user($post_array=array(), $key = null)

    {

        if ($post_array['user_id']!=$this->user_id)

            return false;

            else

            return true;

    }


there are any problem ?