Record view security

Record view security

Postby fester » Wed Jul 10, 2013 9:46 am

We want to be able to allow a user to see on the browse screen a user, and their details, but block them viewing the record proper based on a value in the sublying record.

I.E Manager can see all staff, but can only drill down if (Staff.Site) is in (Manager.Sites).

Which of the events should I be firing this on, and how should I gracefully say "GO AWAY"?
fester
 
Posts: 23
Joined: Tue Nov 27, 2012 4:01 pm

Re: Record view security

Postby massiws » Thu Jul 11, 2013 7:48 pm

fester,

you could use Custom Code > Before Browse to build a query based on your logic.

For example:
  • open the user form and insert this in General tab > SQL field:
    Code: Select all
    SELECT * FROM #browseTable#
  • in Custom Code > Before Browse insert something like this:
    Code: Select all
    $current_user_access_level = "#access_level#";

    $sql = 'CREATE TABLE #browseTable#
    SELECT u.zzsys_user_id, u.sus_name, u.sus_login_name, g.sug_group_name, g.sug_zzsys_access_level_id, u.sys_added
    FROM zzsys_user AS u
    LEFT JOIN (zzsys_user_group AS g) ON (u.sus_zzsys_user_group_id=g.zzsys_user_group_id) ';

    if ($current_user_access_level != 'globeadmin') {
        $sql .= " WHERE g.sug_group_name = '$current_user_access_level' ";
    }
    nuRunQuery($sql);

This allows users to see only the members of their group, while the globeadmin can view all users.

Hope this helps,
Max
massiws
 
Posts: 503
Joined: Thu May 24, 2012 9:38 am
Location: Milan, Italy

Re: Record view security

Postby fester » Mon Jul 29, 2013 11:12 am

Awesome, got that implemented actually on BeforeOpen. User is allowed to see they exist, just not edit.

Now how would I gracefully tell them to "go away" and cancel back to the browse screen?
fester
 
Posts: 23
Joined: Tue Nov 27, 2012 4:01 pm

Re: Record view security

Postby fester » Mon Jul 29, 2013 3:03 pm

I am running the following code in BeforeOpen. I want to bump the UI back to the Browse screen if we get to the else part.

I was using the #session_id# variable in the appropriate field, but it appears empty. When I echo it to HTML i get no value.
Code: Select all
if ($found == 1 or $hasRecord = 0)
{ }
else
{
    echo 'You do not have access to view this person\'s information.';
    $js = "openBrowse('150b3fbdb28054', '', '', '', '');";
    addJSfunction($js);
}
fester
 
Posts: 23
Joined: Tue Nov 27, 2012 4:01 pm

Re: Record view security

Postby massiws » Mon Jul 29, 2013 11:06 pm

fester, there is no simple way to stop nuBuilder before Edit Screen is loaded: have a look a this post.

You could try something like this:
  • in Custom Code > Before Open you can build a javascript function to use when Edit Screen is loaded, eg:
    Code: Select all
    $js = "function getUserGroup() { return '".'#access_level#'."';} ";
    addJSFunction($js);
  • in Custom Code > Javascript you can use the created function to alert not authorized users:
    Code: Select all
    function nuLoadThis() {
       
        // Stop user group 'xyz'
        if (getUserGroup() != 'xyz') {
            alert('You do not have access to view this person\'s information.');
            gotoNuHistory(2);    // go back to browse screen
        }

    }

Max
massiws
 
Posts: 503
Joined: Thu May 24, 2012 9:38 am
Location: Milan, Italy

Re: Record view security

Postby fester » Wed Jul 31, 2013 8:17 am

Solved:
BeforeOpen:
Code: Select all
if ($found == 1 or $hasRecord == 0)
{

}
else

      addJSfunction('DontLoadMe();');
}



Javascript:
Code: Select all
function DontLoadMe() {
   
        alert('You do not have access to view this person\'s information.');
        window.history.go(-1);
}


gotoNuHistory() doesn't appear to work.
fester
 
Posts: 23
Joined: Tue Nov 27, 2012 4:01 pm

Re: Record view security

Postby massiws » Fri Aug 02, 2013 7:37 am

Well done!
massiws
 
Posts: 503
Joined: Thu May 24, 2012 9:38 am
Location: Milan, Italy


Return to General