Hide / show editor fields based on session permission
Hide / show editor fields based on session permission
Hi,
I know I can set read/write access in the server-side script based on current user session, but I also need to completely hide a few fields based on the same session.
Is there any built in functions for this or what would the best practice to achieve this be?
This question has accepted answers - jump to:
Answers
There is nothing built-in for this. The most secure option is to return only the fields desired from the server script. This way the data never resides at the client.
However you can use
columns.visible
to initially hide those columns then usecolumn().visible()
to display them if the permissions allow. Do this ininitComplete
. With this solution the hidden data resides at the client and a hacker could find it.Kevin
If you don't want to let those fields reach the client the safest way is to use a getFormatter on the server and return empty values or some other value for those fields depending on the user session.
On the client side you can use the "open" event for example and hide the fields a) when they are empty or b) when they contain a special value returned from the server (e.g. "forbidden", "hidden" or whatever you find suitable).
This way the client doesn't need to know about the reason for hiding the Editor fields and you don't send "critical" data to the client either.
Hey Kevin, I thought the question was about Editor. If it is about table columns as well, of course "columns.visible" is the way to go.
Missed the Editor part in the title
Kevin
I think the question is relevant for the data table as well: If the information is not permitted for the respective user you don't want to show it neither in Editor nor in the Data Table ...
Thank you,
Without having tried your approach rf1234, I assume the hidden/forbidden fields actual value will be unchanged if the user edits an allowed field?
Yep, the hidden field should just be sent back and forth without any client side changes. If theoretically a hacker changed the value sent to the server this wouldn't matter because the setFormatter checks the session variable and not the field content to decide how to update the database.
If you wanted to avoid any database update for the hidden fields for the specific user you can't use a setFormatter. You would need to use 'validatedCreate' and 'validatedEdit' for example like this:
I'd also say you should generate your Javascript based on the permissions allowed. Don't have the fields / columns defined for data that the user isn't allowed to access.
Allan
Allan, can you exemplify that?
Sure - normally with PHP you would create an HTML file. But there is nothing to stop you from creating any other file as well - often it is used for creating thumbnails for example. You can also create Javascript files. In fact, I do it on this site to get some basic information into Javascript land (which then allows the main Javascript to be static and therefore well cached).
It is more work for certain, but it does allow for a more complete UI since the user will only see what they are allowed to do.
An example would be creating the fields for the form - use
add()
to add the fields based on a PHP loop:Would produce:
Obviously you can get so much more complex than that, including defining types, labels and so on, based on a database or session query, but that's the basic idea.
Taking it to the extreme you end up with something like CloudTables
Allan
Thank you for the clarification
Although Im a little confused with what code would go in which file, since you use hybrid code, echo:ing javascript code with PHP.
I use the standard datatables JS file along with the PHP server side file
@allan
if you want to be 100% flexible and all of this must be configurable (as required for Cloud Tables for example) I guess your approach is certainly the best. For my use cases adding all Editor fields dynamically would be a bit too much effort for the few fields in question.
In most instances I only hide those fields client side if not relevant for certain user groups (and the fields are not containing any "secrets"). Or I only return dummy values from the server for those users (if confidentiality is affected).
Yup - that sounds like a good approach I'd say!
Allan
Thank you both for you answers,
I think I'll go with the method provided by rf1234 since it works for my use case.
It would be really nice if the "forbidden" fields also were disabled - shown with a "forbidden" value but not editable. But I guess that is not possible to achieve server-side?
No, not serverSide, but quite easily client side.
You can either not show the fields to the user at all as in my code above. Here it is again:
or you display something and disable it:
Since you are NOT checking the field value sent to the server for "forbidden" serverSide, it doesn't matter that the field content is now "unauthorized". "unauthorized" will never be saved to the database and not be returned to the client from the server either.
Particularly if you have multiple fields this
can be rewritten as:
Thank you very much for your help!