Allow admin user to bypass the ID_user restrictions

D

DebbieS

DaDaBIK Guru
First, create a new field in your users_tab named "tables_user". This field is where you will enter the allowed table(s) per user separated by commas.

In check_login.php, edit the code below adding the bold line:

// if the user type correspond to the administrator type
if ($_SESSION['logged_user_infos_ar']['user_type_user'] === $users_table_user_type_administrator_value) {
$current_user_is_administrator = 1;
$enable_authentication = 0;

In business_logic.php, locate the function named build_tables_names_array and add the bold parts shown below:

function build_tables_names_array($exclude_not_allowed = 1, $exclude_not_installed = 1, $inlcude_users_table = 0)
// goal: build an array ($tables_names_ar) containing the names of the tables of the db, excluding the internal tables, get the list from $table_list_name tab if $exclude_not_installed = 1, otherwise directly from the DBMS
// input: $exclude_not_allowed (1 if the tables excluded by the user are excluded), $exclude_not_installed (1 if the tables not installed are excluded), $inlcude_users_table (1 if it is necessary to include the users table, even if the user is not admin (useful in admin.php)
// output: $tables_names_ar
{
global $conn, $db_name, $prefix_internal_table, $table_list_name, $quote, $users_table_name, $current_user_is_administrator, $dbms_type, $current_user;

..... rest of code of function .....

$z++;
} // end if
} // end for
} // end else
if($current_user && $current_user_is_administrator === 0) {
$sql = "SELECT tables_user FROM ".$quote.$users_table_name.$quote." WHERE username_user = '$current_user'";
$res = execute_db($sql, $conn);
$row = fetch_row_db($res);
$usertables = $row[0];
if ($usertables) { $tables_names_ar = explode(",", $usertables); }
}
return $tables_names_ar;
} // end build_tables_names_array function

To have ONLY the allowed tables displayed per user (or none if only one table), make the following bold changes to the build_installed_table_infos_ar function:

function build_installed_table_infos_ar($only_include_allowed, $exclude_users_tab_if_not_admin)
// goal: build an an array containing infos about dadabik installed tables
// input: $only_include_allowed (0|1) $exclude_users_tab_if_not_admin(0|1)
// output: the array
{
global $table_list_name, $users_table_name, $conn, $quote, $current_user_is_administrator, $current_user;

..... rest of code .....

$i=0;

$sqltable = "SELECT tables_user FROM users_tab WHERE username_user = '".$current_user."'";
$disptable = execute_db($sqltable, $conn);
$row2 = fetch_row_db($disptable);
$usertables = $row2[0];
$disptbl = array();
if ($usertables) { $disptbl = explode(",", $usertables); }

while ($row = fetch_row_db($res)) {
if (($current_user_is_administrator === 1 || $row['name_table'] !== $users_table_name || $exclude_users_tab_if_not_admin === 0) && (in_array($row['name_table'],$disptbl))) {

..... rest of code .....

return $installed_table_infos_ar;

} // end function build_installed_table_infos_ar()

That's it - copy/paste the code as outlined and you should be in business.

 
S

samfingcul

New member
hi and thank you for helping me.
i done what you said but i get "[08] Error: during query execution."

man... i know you're telling me to do that by myself to learn something but please.. please make the necessary modifications and send the files.
 
D

DebbieS

DaDaBIK Guru
If you've made all the changes as I've outlined and you are getting that error, I have to ask if you've added the additional field in your user table. A lot of times an error like that is generated when there is reference to a table field that does not exist.

If not, turn on the sql debugging info in config.php and report back the error you are getting in full. Change the following lines to '1' for each option:

// display the main sql statements of insert/search/edit/detail operations for debugging (0|1)
// note that the insert sql statement is will be displayed only if insert_again_after_insert is set to 1
$display_sql = 0;

// display all the sql statements and the MySQL error messages in case of DB error for debugging (0|1)
$debug_mode = 0;

If you want, send me your edited files (use 'DaDaBIK Help DS' in the subject line) and I'll review/edit if necessary -- I only need the check_login.php and business_logic.php files.

 
D

DebbieS

DaDaBIK Guru
For anyone who is interested, here is my complete build_installed_table_infos_ar that I use to display ONLY the tables that the user is allowed to view in the drop-down box:

function build_installed_table_infos_ar($only_include_allowed)
// goal: build an an array containing infos about dadabik installed tables
// input: $only_include_allowed (0|1)
// output: the array
{
global $table_list_name, $users_table_name, $conn, $quote, $current_user_is_administrator, $current_user, $disptbl, $db_name;

if ($only_include_allowed === 1) {
$sql = "SELECT name_table, alias_table FROM ".$quote.$table_list_name.$quote." WHERE allowed_table = '1'";
} // end if
else {
$sql = "SELECT name_table, alias_table FROM ".$quote.$table_list_name.$quote;
} // end else

$res = execute_db($sql, $conn);

$i=0;

/** How to use it **/
if (table_exists($users_table_name)) {

$sqltable = "SELECT tables_user FROM ".$quote.$users_table_name.$quote." WHERE username_user = '".$current_user."'";
$disptable = execute_db($sqltable, $conn);
$row2 = fetch_row_db($disptable);
$usertables = $row2[0];
$disptbl = array();
if ($usertables) {
$disptbl = explode(",", $usertables);
}

while ($row = fetch_row_db($res)) {
if (($enable_authentication === 0) && (isset($current_user))) {
$installed_table_infos_ar[$i]['name_table'] = $row['name_table'];
$installed_table_infos_ar[$i]['alias_table'] = $row['alias_table'];
$i++;
} // end if
if (($current_user_is_administrator !== 1) && (in_array($row['name_table'],$disptbl))) {
$installed_table_infos_ar[$i]['name_table'] = $row['name_table'];
$installed_table_infos_ar[$i]['alias_table'] = $row['alias_table'];
$i++;
} // end if
if ((($current_user_is_administrator === 1) || ($row['name_table'] !== $users_table_name)) && (empty($disptbl))) {
$installed_table_infos_ar[$i]['name_table'] = $row['name_table'];
$installed_table_infos_ar[$i]['alias_table'] = $row['alias_table'];
$i++;
} // end if
} // end while
} else {
while ($row = fetch_row_db($res)) {
if ($current_user_is_administrator === 1 || $row['name_table'] !== $users_table_name) {
$installed_table_infos_ar[$i]['name_table'] = $row['name_table'];
$installed_table_infos_ar[$i]['alias_table'] = $row['alias_table'];
$i++;
} // end if
} // end while
}// end if table exists


//$installed_table_infos_ar = array_intersect($installed_table_infos_ar,$disptbl);
return $installed_table_infos_ar;

/* while ($row = fetch_row_db($res)) {
if ($current_user_is_administrator === 1 || $row['name_table'] !== $users_table_name) {
$installed_table_infos_ar[$i]['name_table'] = $row['name_table'];
$installed_table_infos_ar[$i]['alias_table'] = $row['alias_table'];
$i++;
} // end if
} // end while

return $installed_table_infos_ar;*/

} // end function build_installed_table_infos_ar()

In addition .. if you are using this in your installation, after you add "tables_user" to the users_tab, you also need to make sure the dadabik_users_tab has the reference to the new field.

 
N

nmcgann

New member
Here's a few comments on this super hack:

1) The administrator still needs to add the table names to their own record in users_tab or they won't be able to see the tables either.
(that is possibly a bug in the mod?)

2) The logout button isn't shown for the administrator. This is a pain as you can't logout to check the table restriction works for other users.

I added the bolded bits below to header.php where the logout button is supressed so it appears again:

if (($enable_authentication === 1) || ($current_user_is_administrator === 1)){

3) Remember to add a record for the new tables_user field in the users_tab or it needs phpmyadmin to edit the field! (I forgot - doh!)

Still this is a great hack as it pakes it possible to keep certain users out of places that they shouldn't be able to see (like financial info etc.).

Debbie's final post with her build_installed_table_infos_ar didn't work for me, my table select box turned into an empty select with no contents (in administrator mode). What is all the extra code supposed to do?

Neil
 
G

geronimo

New member
Has anyone tried this out with version 4.3?

I tried it for several times (to prevent that a typo could be the reason I mostly used 'drag&drop') but it sadly did not work.
 
You must log in or register to reply here.
Top