Setting User privileges set Editor Datatables

Khalid Teli

Hi ,
Now that my data-tables are almost ready. I have already created a user login portal, where users can login based on Username and Password given

Now, I am trying to set privileges for each user to read/write/ only specific data from database. This is very important for my project as there is some important financial information which only few people can view.

For example:

1) User-1: **can read data from all tables in database.
**2) User-2: Can only read few columns from each table in database.
3) User-3: can read all data and able to edit some data.

Please provide some ideas how can I proceeded with this as this is extremely important for my project.
Your suggestions will be highly appreciated

tangerine

Does your Users table incorporate access levels?

colin

This thread should help, it's asking the same thing.

Cheers,

Colin

Khalid Teli

@tangerine can you please elaborate?

Just to give an idea , for the basic login system, I am reading username and password from data inputted in database and compare it against the user input (POST method).

Then I am saving the username in SESSION Variable and use it across other tables to give basic access rights , which allows a user to edit or only read from table
for example sessionId reads the information from current session and if it matches some value which in my case is abc , it will allow to edit the information otherwise no.

    var sessionId = "<?php echo $_SESSION['username']; ?>";

if (sessionId === 'abc') {
    $('#example').on('click', 'tbody tr td', function() {
      editor.inline(this);
    }); 

    table.button().add(
      null, { extend: "create", editor: editor }     
    )
}

I want to extend this to hide columns and check if this is the right way of doing it? Thanks

Khalid Teli

@colin
Thank you.
I followed the same example. However, I am not able to understand how to logic behind hiding the data (columns) from server-side and then sending the data to client. based on user roles.

If I am not wrong, if we do it from client side (hide the columns) the data will be still accessible using the developer tool->XHR response.

Thank you

colin

Yep, the thread I pointed you towards was for the editing aspect - i.e. when to permit the Edit and New buttons to appear.

To hide specific columns, you're correct, if it's sent, it's visible in the payload. There, you would need to do something like first interrogate the server to see what columns the user would have access to, then when initialising the table, base it upon that information. It would need to be a two step process.

Colin

Khalid Teli

@collin Thank you very much.
I was able to hide the column data from server-side using:

    if ( $_SESSION['privileges'] === 'abc') {
      $editor->fields(Field::inst( 'admins.first_name' )
        ->get(false)

    );
    }

It works perfect. However, when retrieving the data from client side, it shows this message

Requested unknown parameter 'admins.first_name' for row 0, column 2

From the client side I tired to fit it in if statement using :

     if ($_SESSION['privileges'] === 'abc') {

            table.columns( [ 2 ] ).visible( false, false );
         table.columns.adjust().draw( false ); 

        }

This doesn't seem to be working right.

Can you please give me an idea how can i ignore this error based on dynamically hiding some columns based on $_SESSION['privileges'] variable

colin

That's because you've probably initialised the table for more columns than what you received. My idea above was to query the server before any initialisation, get the columns that can be viewed, and then initialise the table with that information. Hope that makes sense,

Colin

Khalid Teli

@colin
it does make sense. But irrespective of the query results, for the returned data, wouldn't I need to initialise all the columns anyway? And in that case when the result for any column is set to false , it will still show the same error?

For user 'abc' it needs to display all column but for user 'def' it needs to hide few. In both cases data table needs to be intilized with all possible columns.

    if ( $_SESSION['privileges'] === 'abc') {
      $editor->fields(Field::inst( 'admins.first_name' )

    );
    }

    else if ( $_SESSION['privileges'] === 'def') {
      $editor->fields(Field::inst( 'admins.first_name' )
        ->get(false)
        );

    }

or is there a way to create columns dynamically?
I would really appreciate, if you can give me a very simple example?

Thank you

Khalid Teli

@colin please ignore my previous comment, I am sure it doesn't make much sense, sorry

**I managed to make it work using below code
**
before initialling the table i used (xhr) as this would be called after every ajax load :

$('#example').on('xhr.dt', function ( e, settings, json, xhr ) {
        var api = new $.fn.dataTable.Api( settings );

        var abc = "<?php echo $_SESSION['privileges']; ?>";
//saving the privileges in A and the comparing 

        if (A === 'abc')
        {
            api.columns([2]).visible(false);

    }
    });

colin

Excellent, glad it's all working.

Colin

allan

That would do it - nice one. The downside to this method is that if anyone takes a look at the code on the client-side, they will see that you are just hiding columns that they shouldn't be able to see. While they don't have any data in them, so the damage is minimal, it still does indicate to them that there is more than they can see.

Typically when doing this kind of thing, I have PHP generate both the HTML and the Javascript for the user's access rights. For example if the general user has access to 4 columns, both the HTML and JS will reflect that. If an admin has access to 6 columns, likewise the HTML and JS will be built for that case.

I don't think we have an example of that process anywhere, but it would be a good one for a blog post sometime.

Allan

Khalid Teli

@colin and @allan
Thank you. Yes, that is true but as you mentioned, damage is minimal. I would take your suggestion and make php script according to user priviliges.

Also, with the above method, it is important to note , from server side return the hidden column to null

if ( $_SESSION['privileges'] === 'abc') {
  $editor->fields(Field::inst( 'admins.first_name' )
    ->getFormatter( function ( $val, $data, $opts ) { return null;}),

    );

otherwise , it will display the same error
Requested unknown parameter 'admins.first_name' for row 0, column 2

I hope this is the right way to do it.

allan

Yes, that's a perfectly valid way of doing it.

Allan