Security Module Application Access Validation

DSM · May 7, 2020, 7:57pm

Using the Security Module - Group. Currently three user groups (Admin, Editor, User). May have more later.

Would like to use the same grid for all users - however, I would like to hide the pencil Icon for any user group that doesn’t have priv_update.

I found the code…

sc_apl_conf(“Application”, “lig_edit”, "off?);

That should allow me to do what I need - I just don’t know get at the group validation variables to construct the if command. The application currently stops the user if they click on the pencil and states “Unauthorized User” – but this in my opinion makes the app appear unfinished.

Any assistance would be appreciated.

adz1111 · May 7, 2020, 8:41pm

I have the following code in my menu app’s onApplicationInit event to determine the logged in user’s group. It places that group name in a global variable you can then inspect wherever else you need to:

// Determine logged in user's Group
$sqlq = 
	"SELECT ".
		"sec_groups.description ".
	"FROM ".
		"sec_users ".
			"INNER JOIN sec_users_groups ".
				"ON sec_users.login = sec_users_groups.login ".
			"INNER JOIN sec_groups ".
				"ON sec_users_groups.group_id = sec_groups.group_id ".
	"WHERE ".
		"sec_users.login = '" . [usr_login] . "'";

sc_lookup(my_data, $sqlq);

if ({my_data} === false) {
	echo "<script type='text/javascript'>alert('Access error determining user group (Menu app). Message = " . 
		{my_data_erro} . "');</script>";

} elseif (empty({my_data})) {
	echo "<script type='text/javascript'>alert('No group found for user (Menu app)');</script>";

} else {
	$ugroup = {my_data[0][0]};
}

[ugroup] = $ugroup;

DSM · May 7, 2020, 8:41pm

Thanks!

I will look at adding similar code. I had assumed that since the Security Module looked at the group value each time an app is started that it would be stored for the current user (most likely session based) in a variable already.

EDIT
…
I added the following to the onexecute of a blank application
echo ‘<pre>’ . print_r($_SESSION, TRUE) . ‘</pre>’;
this gave me all of the variables

Upon review I found that an array is created for each application that contains:

[form_well_log] => Array
(
[insert] => off
[delete] => off
[update] => off
[btn_display] => Array
(
[xls] => off
[word] => off
[pdf] => off
[xml] => off
[csv] => off
[rtf] => off
[print] => off
)

Then I assume I can add something like the following to the Grid form event onApplicationinit:

if({$form_well_log[update]} == “off”){
sc_apl_conf(“Application”, “lig_edit”, "off”);
}
…

adz1111 · May 7, 2020, 8:41pm

Well as you say - you would assume the group would be in a global variable like [usr_login] for the login name - but it isn’t, hence the code I gave to extract it.

Regarding [update] - that is telling you that the “save” button is not visible; that whole array is basically the state of the toolbar buttons. Now, these can be turned on or off in code so there’s no guarantee that the absence of the button is a true representation. IMHO much better to note the group as earlier shown (only runs once per login), and then:

if ([ugroup] != 'administrator') {                       // Or whatever group
    sc_apl_conf('Application', lig_edit', 'off');        // Configure app before calling
    sc_redir('Application');                             // Call the app
}

DSM · May 7, 2020, 8:41pm

Thanks – I really appreciate the input – definitely be adding the code per your suggestion.