Multi user access

[gwp1971]

here is the scenario.....

Gayle is admin (admin user)
Ian is salesman (normal user)
Lee is installer (normal user)

Fields in db:
salesman < field type = single select)
installer < field type = single select)


salesman gets the sales and gives them to admin (Gayle).
She logs in and enters the sale selecting Ian as the salesman and Lee as the installer.
------------------------------------------------------------------------------------
At the moment neither normal user can see the info.

What i would like to do
if Ian is selected as salesman, this record would show up when he logs in under his own username
and the same for Lee if he is selected as the installer.

Q. Is this possible using dadabik ?

 

[DebbieS]

You'd have to modify the code that checks if the user is the owner (function current_user_is_owner in business_logic.php). I don't know how you have your select-single setup for the personnel names.

If your select is built from another table where the names are stored, you would need to do another lookup inside the current owner function to check if the user's ID number (in the linked table) is equal to the value in the salesman field or installer field. Then if the ID matches, they are allowed to see the record.

Assuming you have a table listing your salesmen and a table listing your installers, you'd need two checks - one for each field you want to check/match.

If you need more help, let me know. I'd need way more detail before I could start helping with any code.

 

[gwp1971]

the field i have for the salesman is a single select. the salesperson is added to the dropdown by adding their name to the
"Option to include:" option via the interface configurator.
~~IanL~LeeG~MarkH~MarkS~NeilB~AlisonH~TonyR~MartinS~
Once that person is selected, then it populates the salesman field with that name.
all salesman/installers have their own username( and ID number) stored in users_tab.

I hope that helps

 

[DebbieS]

Since you are not using a separate table to drive the salesman/installer fields, I'd try something like this (will only work if the salesman and installer fields' content matches their username). The code below is found in the function current_user_is_owner in business_logic.php on or about line 95. Add the part in bold:

[pre]
$sql = "SELECT ".$quote.$ID_user_field_name.$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote.$where_field.$quote." = '".$where_value."' AND ".$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."'";

$res = execute_db($sql, $conn);
$num_rows= get_num_rows_db($res);

// check if the current user is the assigned salesman/installer of the record
$sql1 = "SELECT ".$quote."salesman".$quote.", ".$quote."installer".$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote."salesman".$quote." = '".addslashes($current_user)."' OR ".$quote."installer".$quote." = '".addslashes($current_user)."'";

$res1 = execute_db($sql1, $conn);
$num_rows1= get_num_rows_db($res1);

if (($num_rows === 1) || ($current_user == $res1["salesman"]) || ($current_user == $res1["installer"])){
return true;
} // end if
[/pre]

 

[gwp1971]

HI Debbie
I have tried that and i didn't get any errors, but it doesn't display the entries, it still only displays by the user name who entered the record.
I am wondering if i have given you the right info.

Each user is given a user name & password using the "add record" for the users_tab table. i generate a password MD5 and insert it.
so get:
id: 42
usertype: normal
Username: LeeG
password: (isn't shown once entry has been completed
tables_user << This i use to store the password in English, as i dint know what this is for

I then edit using the configuartor for MHCustomers, the field called "canvasser" (Salesman) adding the username to the list
~~IanL~AlanK~BarryC~LeeG~DawnL~NeilB~SRadford~

I add another user (as above as normal user and call him BarryC). again using the configuartor i add BarryC to the list for the field called "surveyor"

You will note that the field names have changed because the real field names in the DB (phpmyadmin) are canvasser & surveyor.
I changed your code above to reflect this)

I then log in as admin and add a new record
Mr Test
123 the street. Etc
canvasser = LeeG
surveyor = BarryC

I then log out, close browser, delete cookies etc.
Log back in again as LeeG (username doesn't seem to be case sensitive)
but cannot see "Mr Test" record.
Log out as LeeG and back in again as BarryC
the result is the same.
Log in as admin, i can see the record.

Looking via phpmyadmin at the table MHCustomers, i see an entry for Mr Test, and under surveyor field is BarryC and canvasser field is "LeeG"
the capitals are the same as the usernames.

here is the section of code you gave me to change (along with my changes to the field names.

[pre]
global $current_user, $conn, $db_name, $quote;

// get the name of the field that has ID_user type
$ID_user_field_name = get_ID_user_field_name($fields_labels_ar);

if ($ID_user_field_name === false) {
return true; // no ID_user field type, no authentication needed
} // end if
else {
// check if the owner of the record is current_user
$sql = "SELECT ".$quote.$ID_user_field_name.$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote.$where_field.$quote." = '".$where_value."' AND ".$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."'";

$res = execute_db($sql, $conn);
$num_rows= get_num_rows_db($res);

// check if the current user is the assigned canvasser/surveyor of the record
$sql1 = "SELECT ".$quote."canvasser".$quote.", ".$quote."surveyor".$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote."canvasser".$quote." = '".addslashes($current_user)."' OR ".$quote."surveyor".$quote." = '".addslashes($current_user)."'";

$res1 = execute_db($sql1, $conn);
$num_rows1= get_num_rows_db($res1);

if (($num_rows === 1) || ($current_user == $res1["canvasser"]) || ($current_user == $res1["surveyor"])){
return true;
} // end if
else{
return false;
} // end else
} // end else
[/pre]

Thanks very much for your help so far Debbie

 

[DebbieS]

I wonder if it is a case thing ... try this:

[pre]
if (($num_rows === 1) || (strtoupper($current_user) == strtoupper($res1["canvasser"])) || (strtoupper($current_user) == strtoupper($res1["surveyor"]))){
return true;
} // end if
[/pre]

Basically all it is doing is changing all the variables to upper case to make the match ...

 

[gwp1971]

Alas, no chnage Debbie
no errors, but no change.
Here is my current code
[pre]
// check if the current user is the assigned canvasser/surveyor of the record
$sql1 = "SELECT ".$quote."canvasser".$quote.", ".$quote."surveyor".$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote."canvasser".$quote." = '".addslashes($current_user)."' OR ".$quote."surveyor".$quote." = '".addslashes($current_user)."'";

$res1 = execute_db($sql1, $conn);
$num_rows1= get_num_rows_db($res1);

if (($num_rows === 1) || (strtoupper($current_user) == strtoupper($res1["canvasser"])) || (strtoupper($current_user) == strtoupper($res1["surveyor"]))){
return true;
} // end if
else{
return false;
} // end else
} // end else
[/pre]

 

[DebbieS]

OK ... add uppercase switch to the sql statement also ... sorry, I missed that in the first go ...

[pre]
$sql1 = "SELECT ".$quote."canvasser".$quote.", ".$quote."surveyor".$quote." FROM ".$quote.$table_name.$quote." WHERE UPPER(".$quote."canvasser".$quote.") = '".strtoupper(addslashes($current_user))."' OR UPPER(".$quote."surveyor".$quote.") = '".strtoupper(addslashes($current_user))."'";
[/pre]

Let me know if this works ...

 

[gwp1971]

Sorry Debbie, no chnage still.

[pre]
// check if the owner of the record is current_user
$sql = "SELECT ".$quote.$ID_user_field_name.$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote.$where_field.$quote." = '".$where_value."' AND ".$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."'";

$res = execute_db($sql, $conn);
$num_rows= get_num_rows_db($res);

// check if the current user is the assigned canvasser/surveyor of the record
$sql1 = "SELECT ".$quote."canvasser".$quote.", ".$quote."surveyor".$quote." FROM ".$quote.$table_name.$quote." WHERE UPPER(".$quote."canvasser".$quote.") = '".strtoupper(addslashes($current_user))."' OR UPPER(".$quote."surveyor".$quote.") = '".strtoupper(addslashes($current_user))."'";

$res1 = execute_db($sql1, $conn);
$num_rows1= get_num_rows_db($res1);

if (($num_rows === 1) || (strtoupper($current_user) == strtoupper($res1["canvasser"])) || (strtoupper($current_user) == strtoupper($res1["surveyor"]))){
return true;
} // end if
else{
[/pre]

Would it be easier if i changed all the usernames to either upper or lower case only, not a mixture.
I have now added a new user who is called "test" all lowercase, and made him a surveyor, but any record admin adds with him chosen form the dropdwon box, he cannot see.

Thanks for your help with this Debbie, sorry its taking your time up.

 

[DebbieS]

One more try on the sql statement ... I just noticed that I forgot to include the part of the where clause that gets the specific record ID to match first, so..... I added it back in and then put brackets around the "or" part of the clause:

[pre]
$sql1 = "SELECT ".$quote."canvasser".$quote.", ".$quote."surveyor".$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote.$where_field.$quote." = '".$where_value."' AND (UPPER(".$quote."canvasser".$quote." ) = '".strtoupper(addslashes($current_user))."' OR UPPER(".$quote."surveyor".$quote." ) = '".strtoupper(addslashes($current_user))."')";
[/pre]

I tested this on a different database and it works there so give it a whirl.

 

[gwp1971]

HI Debbie
Should this work straight away, or do i need to add a new record to test it ?
because it dosent work still.

Here is my current code
[pre]
// check if the owner of the record is current_user
$sql = "SELECT ".$quote.$ID_user_field_name.$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote.$where_field.$quote." = '".$where_value."' AND ".$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."'";

$res = execute_db($sql, $conn);
$num_rows= get_num_rows_db($res);

// check if the current user is the assigned canvasser/surveyor of the record
$sql1 = "SELECT ".$quote."canvasser".$quote.", ".$quote."surveyor".$quote." FROM ".$quote.$table_name.$quote." WHERE ".$quote.$where_field.$quote." = '".$where_value."' AND (UPPER(".$quote."canvasser".$quote." ) = '".strtoupper(addslashes($current_user))."' OR UPPER(".$quote."surveyor".$quote." ) = '".strtoupper(addslashes($current_user))."')";

$res1 = execute_db($sql1, $conn);
$num_rows1= get_num_rows_db($res1);

if (($num_rows === 1) || (strtoupper($current_user) == strtoupper($res1["canvasser"])) || (strtoupper($current_user) == strtoupper($res1["surveyor"]))){
return true;
} // end if
else{
return false;
} // end else
} // end else
[/pre]
Maybe i have messed part of it up.
Thanks

 

[DebbieS]

Two options ...

1..... Change the if line to read:
[pre]
if (($num_rows === 1) || ($num_rows1 === 1)) {
[/pre]
instead of the line we've got there?

2..... Change the $num_rows1 line to use fetch_row_db instead of get_num_rows_db ... and keep the existing if statement ...

my bad ... got a lot going on and I'm missing these little details. Let me know if one of these options works.

 

[gwp1971]

I tried option 1 first with my code looking like this
[pre]

if (($num_rows === 1) || ($num_rows1 === 1)) { (strtoupper($current_user) == strtoupper($res1["canvasser"])) || (strtoupper($current_user) == strtoupper($res1["surveyor"]))){

[/pre]

that gave me errors of

Parse error: syntax error, unexpected ')' in /home/surveyu/public_html/include/business_logic.php on line 121

I then tried the 2nd option of changing the fetch_row_db, that gave me no errors, but it didn't show any expected results.

Would it be easier to use data from the seperate users_tab table ?

 

[DebbieS]

Well, option 1 should have had the additional code after the { // commented out - thus the errors.
Don't know how using the data from the user table will help because you need to match the username in the record he/she is assigned to in order to determine if they can see/edit that record.

Is this available somewhere I can view it or can you send me the database so I can try things with it here? I don't know what else to suggest.

 

[DebbieS]

Business logic file you supplied works fine. Change was needed in index.php on or about line 623 inside the case "search" part:

[pre]
if ($enable_authentication === 1 && $enable_browse_authorization === 1) { // $ID_user_field_name = '$current_user' where clause part in order to select only the records the current user owns
$ID_user_field_name = get_ID_user_field_name($fields_labels_ar);

if ($ID_user_field_name !== false) { // no ID_user fields available, don't use authorization
if ($where_clause === '') {
$where_clause = $quote.$table_name.$quote.'.'.$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."' OR ".$quote.$table_name.$quote.'.'.$quote."surveyor".$quote." = '".addslashes($current_user)."' OR ".$quote.$table_name.$quote.'.'.$quote."canvasser".$quote." = '".addslashes($current_user)."'";
} // end if
else {
//$where_clause .= " AND ".$quote.$table_name.$quote.'.'.$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."'";
$where_clause = "(".$where_clause." ) AND ".$quote.$table_name.$quote.'.'.$quote.$ID_user_field_name.$quote." = '".addslashes($current_user)."' OR ".$quote.$table_name.$quote.'.'.$quote."surveyor".$quote." = '".addslashes($current_user)."' OR ".$quote.$table_name.$quote.'.'.$quote."canvasser".$quote." = '".addslashes($current_user)."'";
} // end else
} // end if

} // end if
[/pre]

Added that in and was able to view records as expected. The other code in business logic determines whether the user can edit, delete, etc. based on his/her ownership/assignment. This code is needed to display only those records they have been assigned. I didn't realize what was happening until I saw the debug sql displayed in front of my silly eyes. Anyhooo ... try that and let me know if it works now.

 

[gwp1971]

Thats great!!
Thanks very much Debbie
a great surprise when i got back from a few days away.

Its all working fine now.
Thanks very much indeed