Page 1 of 1
Record view security
Posted: Wed Jul 10, 2013 2:16 am
by fester
We want to be able to allow a user to see on the browse screen a user, and their details, but block them viewing the record proper based on a value in the sublying record.
I.E Manager can see all staff, but can only drill down if (Staff.Site) is in (Manager.Sites).
Which of the events should I be firing this on, and how should I gracefully say "GO AWAY"?
Re: Record view security
Posted: Thu Jul 11, 2013 12:18 pm
by massiws
fester,
you could use
Custom Code > Before Browse to build a query based on your logic.
For example:
- open the user form and insert this in General tab > SQL field:
- in Custom Code > Before Browse insert something like this:
Code: Select all
$current_user_access_level = "#access_level#";
$sql = 'CREATE TABLE #browseTable#
SELECT u.zzsys_user_id, u.sus_name, u.sus_login_name, g.sug_group_name, g.sug_zzsys_access_level_id, u.sys_added
FROM zzsys_user AS u
LEFT JOIN (zzsys_user_group AS g) ON (u.sus_zzsys_user_group_id=g.zzsys_user_group_id) ';
if ($current_user_access_level != 'globeadmin') {
$sql .= " WHERE g.sug_group_name = '$current_user_access_level' ";
}
nuRunQuery($sql);
This allows users to see only the members of their group, while the globeadmin can view all users.
Hope this helps,
Max
Re: Record view security
Posted: Mon Jul 29, 2013 3:42 am
by fester
Awesome, got that implemented actually on BeforeOpen. User is allowed to see they exist, just not edit.
Now how would I gracefully tell them to "go away" and cancel back to the browse screen?
Re: Record view security
Posted: Mon Jul 29, 2013 7:33 am
by fester
I am running the following code in BeforeOpen. I want to bump the UI back to the Browse screen if we get to the else part.
I was using the #session_id# variable in the appropriate field, but it appears empty. When I echo it to HTML i get no value.
Code: Select all
if ($found == 1 or $hasRecord = 0)
{ }
else
{
echo 'You do not have access to view this person\'s information.';
$js = "openBrowse('150b3fbdb28054', '', '', '', '');";
addJSfunction($js);
}
Re: Record view security
Posted: Mon Jul 29, 2013 3:36 pm
by massiws
fester, there is no simple way to stop nuBuilder before
Edit Screen is loaded: have a look a
this post.
You could try something like this:
- in Custom Code > Before Open you can build a JavaScript function to use when Edit Screen is loaded, eg:
Code: Select all
$js = "function getUserGroup() { return '".'#access_level#'."';} ";
addJSFunction($js);
- in Custom Code > Javascript you can use the created function to alert not authorized users:
Code: Select all
function nuLoadThis() {
// Stop user group 'xyz'
if (getUserGroup() != 'xyz') {
alert('You do not have access to view this person\'s information.');
gotoNuHistory(2); // go back to browse screen
}
}
Max
Re: Record view security
Posted: Wed Jul 31, 2013 12:47 am
by fester
Solved:
BeforeOpen:
Code: Select all
if ($found == 1 or $hasRecord == 0)
{
}
else
{
addJSfunction('DontLoadMe();');
}
Javascript:
Code: Select all
function DontLoadMe() {
alert('You do not have access to view this person\'s information.');
window.history.go(-1);
}
gotoNuHistory() doesn't appear to work.
Re: Record view security
Posted: Fri Aug 02, 2013 12:07 am
by massiws
Well done!