Does nuBuilder have "field level access restrictions feature"? Topic is solved

[rich3art]

Hi,

I have been studying nubuilder for a few days now and cant seem to find this feature:

I want to not only restrict access to the entire table to a certain user but also want to restrict access to a certain field within that table aswell.

For example, lets say you have a law firm and each employee can log in and submit documents enter data etc (on a table) but then the management (not me as a super admin/user but another user higher than employee) is the only one that has access to a certain field in that table and the employees can "read only" that field but the management can change that field to example "will receive promotion this month" as an example.

I hope this feature is already in nubuilder and if not what will be the easiest way for me to implement this with or without code (hopefully the most secure way)

Any help and guidance is much appreciated

Kind Regards,
Richard

[kev1n]

Hi,

Can this topic be moved to the general forum or is it somehow related to reports?

[rich3art]

Hi Kevin, sure yes it can be moved sorry

[kev1n]

Access can be restricted on the client side (with JavaScript), but this is not secure and can be easily bypassed.
That is why I recommend using PHP to make sure that the specific field has not been changed by an unauthorised person. I can provide an example if you wish.

[rich3art]

Yes please I would love an example and how and where to I then add the PHP to prevent this access per field?

[kev1n]

I've prepared an example:

In the form's Custom Code, disable the field in question (in this example my_field) with JavaScript:

Code: Select all

// If the Access Level Code does not equal to "Management", disable "my_field":
if (nuAccessLevelCode() != 'Management') {
	nuDisable('my_field');
}

In the BS (Before Save) PHP event, check if the value of the field in question has been modified by an unauthorised person/Access Level.

Code: Select all

// The function dbGetValue() retrieves the original value from the table, before the record is saved
function dbGetValue($tableName, $primaryKey, $recordId, $columnName) {
	$select = "SELECT `$columnName` FROM `$tableName` WHERE `$primaryKey` = ?";
	$result = nuRunQuery($select, array($recordId));
	$arr = db_fetch_array($result);
	return $arr[$columnName];
}

// Replace my_table with your table name, my_table_primary_key with your table's primary key and my_field with your object id.
$orgValue = dbGetValue('my_table', 'my_table_primary_key', '#RECORD_ID#', 'my_field');
$newValue ='#my_field#';

// Compare the original value with the new value and disallow saving, if the field has been changed/manipulated by an Access Level code other than "Management".

if ($orgValue != '#my_field#' && '#ACCESS_LEVEL_CODE#' !== 'Management') {
   nuDisplayError('It is not permitted to modify the field xyz...');
}

[rich3art]

Wow awesome thanks Kevin, Im going to give it a try and Il update you if I have any further question.

[kev1n]

Small correction: It' the BS (Before Save) event, not BE of course.

[rich3art]

Oky I understand, but with that said can I not make it in the BE event so it will even prevent it from being edited?

[kev1n]

Well you could but as I mentioned this can be easily bypassed if you know how.