Security users problem

richardh · May 7, 2020, 7:53pm

Hello

We are currently trying to build a complaints system with a user hierarchy from Administrator > Supervisor > User

When setting up a supervisor account they will have access to change what group the user goes in, this shows the Administrator group.

So in theory they could edit their own user and set themselves as a Administrator.

Is there anyway to remove this? We have tried removing the update privilege for sec_group but this did not work.

Thanks

Kdriscoll · May 7, 2020, 8:33pm

Ok, I havent done this yet, but shouldnt be extremely diffficult
I would do the following:

you will need to add new field tables the users table where you set the level of the user i.e 0 for admin, 1 for supervisor and 2 for user.
you will need to add a new field for the security group table called level.
you will need to set the logged in users level to a global variable so that the below sql will be select just the groups greater or equal to that value.
edit the security form edit users changing the N-N Relationships for Groups and change the sql to include a new field called lets say level.
example would be SELECT group_id, description FROM sec_groups where level >= [user_level] ORDER BY description

I would not allow new users to be created except by the admin, and make sure the user "level can only be set by the admins.

That is what I would suggest…

Kevin

richardh · May 7, 2020, 8:34pm

Hi Kevin

Thank you for your response.

We have started setting it up this way, however we are having issues.

Please can you advise us on how to set up a global variable?

Thanks

Kdriscoll · May 7, 2020, 8:34pm

Look at the help file under appendix
You can also look at the login screen file for examples the user login is set as a global variable

From help file is below

Kevin

Global Variables
Before the browser sends the information, it encodes it using a scheme called URL encoding. In this scheme, name/value pairs are joined with equal signs and different pairs are separated by the ampersand.
GET Method - sends the encoded user information appended to the page request. The page and the encoded information are separated by the ? character.
POST Method - transfers information via HTTP headers. The information is encoded as described in case of GET method and put into a header called QUERY_STRING.
Scriptcase uses global variables with square brackets. [var2] = ‘global’;
It can be called in any event or method of an application.
Note 1: A local variable can be a global variable if you use sc_set_global
$var3 = ‘testing’; sc_set_global($var3);
echo [var3] ." global variables";
// var3 is a local variable
// transforming var3 in a global variable
// Now we can call [var3] in any other event

christwigg1974 · May 7, 2020, 8:34pm

Hi Kevin

Thanks for your help, Unfortunately the help and documentation is not very clear for using variables.

Could you please supply a very simple example for the following ?

When a user successfully logs on via the login screen:-
1.) Store the UserID from table tbl_users as variable sc_userID ?
2.) Sql query on a form/grid select name from tbl_users where UserID = [sc_userID] ?

Many Thanks

Chris