Write protection server side

marianidiego

is it possible, from server side, to protect a whole table from writing, but allow only reading?

Editor::inst( $db, 'login', 'login_id' )
->fields(
Field::inst( 'login.login_id' ),
Field::inst( 'login.group_of_id' )
->options( Options::inst()
->table( 'group_of' )
->value( 'group_of_id' )
->label( 'name' ))
->set( false ), // only read
Field::inst( 'login.email' ))
->process( $_POST )
->write(0)
->debug(true)
->json();

I'm try "write(false)" and "set(0)", but both don't working.

Tank's

rf1234

You can use one or more of the cancellable events:
https://editor.datatables.net/manual/php/events#Cancellable-events
or you can use ->set( false ) on every field

rf1234

You can also use a Global Validator and notify the user that this is read only if changes have been made. Probably the most elegant solution I guess.
https://editor.datatables.net/manual/php/validation#Global-validators

marianidiego

for every field?

Gibt es nicht eine elegante Möglichkeit, dies für alle Felder zu tun?

marianidiego

Sorry.... in englis is better...

for every field?
Isn't there a way to make it elegant for all fields?

rf1234

for every field?
Isn't there a way to make it elegant for all fields?

Yes, that is the global validator above which detects any change in any field. The same applies to the solution with cancellable events: you simply cancel any editing of existing or inserting of new records unconditionally.

Only if you want to use ->set( false ) you would need to use this on every field

Gibt es nicht eine elegante Möglichkeit, dies für alle Felder zu tun?

Ja, das ist der obige globale Validator, der jede Änderung in einem beliebigen Feld erkennt. Dasselbe gilt für die Lösung mit löschbaren Ereignissen: Sie brechen einfach jede Bearbeitung bestehender oder das Einfügen neuer Datensätze bedingungslos ab.

Nur wenn Sie ->set( false ) verwenden wollen, müssen Sie dies für jedes Feld tun

(translation: deepl.com)

marianidiego

Tank's!

But, if I use a join one-t-may? Linke this: https://editor.datatables.net/examples/advanced/joinArray.html

How can protects this example?

rf1234

It makes no difference whether or not you use a join.

marianidiego

I'm try, but cannôt protect to write. Datatables write in the data if I set(False) every fields....

My exaple don't work:

Editor::inst( $db, 'users' )
    ->field(
        Field::inst( 'users.first_name' )->set(false),
        Field::inst( 'users.last_name' )->set(false),
        Field::inst( 'users.site' )->set(false)
            ->options( Options::inst()
                ->table( 'sites' )
                ->value( 'id' )
                ->label( 'name' )
            ),
        Field::inst( 'sites.name' )->set(false)
    )
    ->leftJoin( 'sites', 'sites.id', '=', 'users.site' )
    ->join(
        Mjoin::inst( 'permission' )
            ->link( 'users.id', 'user_permission.user_id' )
            ->link( 'permission.id', 'user_permission.permission_id' )
            ->order( 'name asc' )
            ->validator( 'permission[].id', Validate::mjoinMaxCount(4, 'No more than four selections please') )
            ->fields(
                Field::inst( 'id' )->set(false)
                    ->validator( Validate::required() )
                    ->options( Options::inst()
                        ->table( 'permission' )
                        ->value( 'id' )
                        ->label( 'name' )
                    ),
                Field::inst( 'name' )->set(false)
            )
    )
    ->process($_POST)
    ->json();

Edited by Colin - Syntax highlighting. Details on how to highlight code using markdown can be found in this guide.

rf1234

Could you use Markdown please to make your code legible (see link below).

And please post a test case as per the forum rules.

This is a simple example from my own coding - and it works:

Editor::inst( $db, 'login_logout_log' )
    ->field(
        Field::inst( 'login_logout_log.user_id AS login_logout_log.client_name' )->set( false )
            ->getFormatter( function($val, $data, $opts) use ( $lang ) {
                if ( $val <= 0 ) { 
                    if ( $lang === 'de' ) {
                        return "Nutzer unbekannt; Login E-Mail: " . $data['login_logout_log.email'];
                    } else {
                        return "User unknown; Login email: " . $data['login_logout_log.email'];
                    }
                }
                return getUserName($val);
            }),  
        Field::inst( 'login_logout_log.email' )->set( false ),
        Field::inst( 'login_logout_log.action' )->set( false ),
        Field::inst( 'login_logout_log.when' )->set( false )
    )
    ->process($_POST)
    ->json();

This should also work:

Editor::inst( $db, 'login_logout_log' )
    ->field(
        Field::inst( 'login_logout_log.user_id AS login_logout_log.client_name' )
            ->getFormatter( function($val, $data, $opts) use ( $lang ) {
                if ( $val <= 0 ) { 
                    if ( $lang === 'de' ) {
                        return "Nutzer unbekannt; Login E-Mail: " . $data['login_logout_log.email'];
                    } else {
                        return "User unknown; Login email: " . $data['login_logout_log.email'];
                    }
                }
                return getUserName($val);
            }),  
        Field::inst( 'login_logout_log.email' ),
        Field::inst( 'login_logout_log.action' ),
        Field::inst( 'login_logout_log.when' )
    )
    ->on( 'preCreate', function ( $editor, $values ) {
        return false;
    } )
    ->on( 'preEdit', function ( $editor, $id, $values ) {
        return false;
    } )
    ->on( 'preRemove', function ( $editor, $id, $values ) {
        return false;
    } )
    ->process($_POST)
    ->json();

As well as this:

Editor::inst( $db, 'login_logout_log' )
    ->field(
        Field::inst( 'login_logout_log.user_id AS login_logout_log.client_name' )
            ->getFormatter( function($val, $data, $opts) use ( $lang ) {
                if ( $val <= 0 ) { 
                    if ( $lang === 'de' ) {
                        return "Nutzer unbekannt; Login E-Mail: " . $data['login_logout_log.email'];
                    } else {
                        return "User unknown; Login email: " . $data['login_logout_log.email'];
                    }
                }
                return getUserName($val);
            }),  
        Field::inst( 'login_logout_log.email' ),
        Field::inst( 'login_logout_log.action' ),
        Field::inst( 'login_logout_log.when' )      
    )
    ->validator( function( $editor, $action, $data ) {
        if ( $action !== Editor::ACTION_READ ) {
            return 'Cannot modify data';            
        }
    } )
    ->process($_POST)
    ->json();

allan

Hi,

With the new (v2) versions of the PHP libraries for Editor, there is actually a write() method which can be used to disallow all write access - e.g.:

Editor::inst(…)
  ->fields( … )
  ->write(false)
  ->process($_POST)
  ->json();

Saves needing to put ->set(false) on all the fields.

Allan

marianidiego

tank's