Allow admin user to bypass the ID_user restrictions

dadabiknewbie

New member
I love/need the ID_user feature to restrict normal users to only access their own records. However that prevents me from accessing any records except those I enter with my admin id, which is not supposed to be any.

I need to review, and possibly edit or delete, all the records easily. Can I somehow toggle off the ID_user feature(s) when I use the admin id/password.

I don't want to install a whole second copy of the entire program, or enter all the id/passwords one by one to do this. I could use phpMyAdmin, but it is very clumsy. I don't want to re-upload config.php each time I want to do this. Turning off browse restrict lets users see too much, and I still can't edit anyway.

Any reprogramming I could do ?
Perhaps an if statement in config.php could toggle the 0|1 if it can sense a normal vs admin id/password was entered ?

Thanks
 

dadabiknewbie

New member
I eventually made a small addition to the login script and it works great. The admin user gets to view/edit all the records, while the normal user only accesses their own records. Hard to believe it was that easy, yet no responses in 3 days. Think it's safe? Could say, ten bad password tries halt something for security?

Anyway, I think there needs only a few small upgrades to make this product really usable. I just can't see installing many copies of the entire product to have different users who have different access rights.

For example, 3 NORMAL users, who can only access the TABLES(s)/restrictions they are assigned. And of course the ADMIN user who has access to everything.

Thanks
 

Elson

New member
I'm curious to know what approach you took in making this mod work. Could you post what changes you made and the version of dadabik that you modified?
 

Elson

New member
I apologize for double posting, but I hit the submit button on accident.

I believe that in order for this program to be more useful in community environments that is is imperative that some form of user permissions feature is added to this otherwise near-perfect program. A permissions system has already been proposed in the feature request forums here: http://www.dadabik.org/forum/read.php?f=2&i=482&t=482#reply_482

I'm glad that dadabiknewbie was able to solve his problem, and I look forward to seeing how the program was modified. Thank you!
 

dadabiknewbie

New member
I made this change in check_login.php so the admin user gets to view/edit all the records, while the normal user only accesses their own records.

// if the user type correspond to the administrator type
if ($_SESSION['logged_user_infos_ar']['user_type_user'] === $users_table_user_type_administrator_value) {
$current_user_is_administrator = 1;

//By dadabiknewbie June 17, 2006
//goal: To set authentication to 0 off if user is Admin vs Normal
$enable_authentication = 0;

} // end if

Thats it.

To avoid having to remove the admin... php files:

I renamed admin.php and internal_table_manager.php
and upgrade.php and upgrade_3.2.php to xxx.php.cgi for security. When I need them I just rename them temporarily. Later I must use an htaccess on these files to keep them inaccessable even while I am working with them, but this is quick and dirty for now.

I also made some change to business_logic_php
script's build_tables_names_array function
to allow each user to be allowed precise
table(s) access or not.
*Admin gets all access because of above.

Note: Added $current_user to [global] at top of function.

Note: Added [tables_user] field to [users_tab] table, and inserted comma delimited list of user's allowed tables.

/*
By dadabiknewbie to allow specifying which tables which users can access,
and in which order they are shown in the select menu.

Note: Added $current_user to [global] at top of function.

Note: Added [tables_user] field to[users_tab] table, and inserted comma delimited tablename list of user's allowed tables.

(This goes at botton of function just before "return $tables_names_ar;")

*/
if($current_user && $current_user_is_administrator === 0) {
$sql = "SELECT tables_user FROM ".$quote.$users_table_name.$quote." WHERE username_user = '$current_user'";
$res = execute_db($sql, $conn);
$row = fetch_row_db($res);
$usertables = $row[0];
if ($usertables) { $tables_names_ar = explode(",", $usertables); }
}

//Now I add Tablename as bold, to first field name header

//By dadabiknewbie end

return $tables_names_ar;

} // end build_tables_names_array function
 

Elson

New member
Wow! That's awesome code. This page is going right into my to-do folder. Thanks for posting your work. I won't be able to test it myself, but it looks like a good fix. Thanks again for sharing your work!
 

DebbieS

DaDaBIK Guru
I just tried out the code to allow specific tables -- worked great -- except I didn't want any other tables to display either. In my install I'm currently working on, there is only one table they are allowed to do anything with so I just suppressed the view of the table drop-down by using this code surrounding the table drop-down code:

if ($current_user_is_administrator === 1) {
$change_table_form = build_change_table_form();

if ($change_table_form != ""){ // if there is more than one table to manage
txt_out('<table align="right"><tr><td align="right" class="small" nowrap>'.$change_table_form.'</td></tr></table>');
} // end if
}


To get the logout back in the header/footer, change this line just above the logout line:

FROM
if ($enable_authentication === 1) {

TO
if (($enable_authentication === 1) || ($current_user_is_administrator === 1)) {

Worked for me.

 

marbour

Member
hum...

My opinion is that dadabiknewbie should change his name to dadabikclevernewbie.

I have been promoting the installation of multiple instances for the exact same problem (the admin being able to ...) for a while now.

Now, this very simple suggestion solves my problem half-way...

Would you have a suggestion for me: my problem is that I am also using the data in the table to output other stuff elsewhere. This being said, records not being approved yet by admins, require a field I called item_visible containing values no (no is the default MySQL value for the field, while the field is simply not shown to the "normal user"). As of now, I have a duplicate instance that is reserved for admins and that shows the field so it can be "approved", then outputed in my "elsewhere" table mentionned above.

With this code hack suggestion, would anyone suggest me on how to go about having only one instance for which a field would be visible for admins and not for user?

My best guess is to add an if condition user is admin and field name is item_visible, to show it or not... But that's hacking to a deeper level.

If anyone could shed light on my situation. I would appreciate.

Best regards.

 

dadabiknewbie

New member
if($current_user && $current_user_is_administrator === 0) {
$sql = "SELECT tables_user FROM ".$quote.$users_table_name.$quote." WHERE username_user = '$current_user'";
$res = execute_db($sql, $conn);
$row = fetch_row_db($res);
$usertables = $row[0];
if ($usertables) { $tables_names_ar = explode(",", $usertables); }

I would suggest adding a table such as "admin_only" which has a list of
table_name,field_name_exclusive1,field_name_exclusive2...
Then find where dadabik gets it's array to display a table, and try to alter that array.
prior to display as follows:

If the user is Not Admin, and Current table is found in the admin_only table then remove the field_name_exclusive?(s) from that array.
(perhaps restoring this array to original state after the display is done.)

This table driven approach may get more help for you from the publisher or other power users, as it can apply to all users. It is also easier to maintain than hard coding.


For user level field access.
Could you add a field(s) to the users_tab table for each table you need to control?
This field could have a comma delimited list of field names that available to that user.
Use code similar to above to lookup that "field list" by user and current table in question.

Then find where dadabik gets it's array or info to display fields, and conditionally alter it according to the field list looked up.

You should limit this behavior to conditionally only kick in for certain table name(s). (Those that you have actually added the table name "column" to the users_tab for.)

Either hard code it in the script,
or do yet another lookup of a "exception table" with a comma delimited list of table names that you want this behavior applied to.

Remember that the Admin MUST be allowed to access all, so don't apply any such changes to this view if Admin.

Certainly backup your .php files before you start playing with them. But then you can try commenting out functions until you find those that affect "only" the table views.

Are you sure that admin-only fields are not a feature of table definition setup or the databik script setup ?

Try debbie, she seems to have taken my basic idea a step further. There is html being displayed in the function you are looking for.
 

Pattoncito

New member
I tried what dadabiknewbie suggested on 07-29-06, but it doesn't work:

*
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /admin/include/business_logic.php:1) in /admin/include/common_start.php on line 111

Warning: Cannot modify header information - headers already sent by (output started at /admin/include/business_logic.php:1) in /admin/login.php on line 80

Any idea?

 

DebbieS

DaDaBIK Guru
Without seeing all your files, the only suggestion I can make is that you have applied the code exactly as shown and in the correct location.

 

DebbieS

DaDaBIK Guru
I'm sorry ... Trying to get the restricting tables to each user working and it's just not working for me. I've added the code as explained in dadabiknewbie's post above but do not understand the line:

//Now I add Tablename as bold, to first field name header

Is this code not supposed to ONLY display the allowed tables for each user? After I add the code as outlined, all the tables display and the user can select any one. I've got the appropriate tables listed in the users_tab in the tables_user field for each user.

I just don't know what I'm doing wrong. dadabiknewbie, could you post your entire build_tables_names_array for me to look at?

Thanks!

 

DebbieS

DaDaBIK Guru
I've gotten my installation to list ONLY the tables that each user is allowed to view! Locate in business_logic.php the following function:

function build_installed_table_infos_ar

after the line that reads "$i=0;", and before the line that starts with "while ($row...), insert the following code (this assumes you have a 'tables_user' field in your users_tab table):

$sqltable = "SELECT tables_user FROM users_tab WHERE username_user = '".$current_user."'";
$disptable = execute_db($sqltable, $conn);
$row2 = fetch_row_db($disptable);
$usertables = $row2[0];
$disptbl = array();
if ($usertables) { $disptbl = explode(",", $usertables); }

Then change the line below to the bolded one underneath:

CHANGE:
if ($current_user_is_administrator === 1 || $row['name_table'] !== $users_table_name) {

TO:
if (($current_user_is_administrator === 1 || $row['name_table'] !== $users_table_name) && (in_array($row['name_table'],$disptbl))) {

This returns ONLY the tables that are listed in the users_tab tables_user field for each user.

 

girljinbink

New member
I tried this out just as DebbieS suggested and I got this error:

Parse error: syntax error, unexpected $end in /home/isource1/public_html/portal/include/business_logic.php on line 4110

I am wanting this same issue solved - users are not supposed to be able to *create* DB entries, but only to VIEW those that are assigned to their username.
 

samfingcul

New member
hello guys and sorry for my bad english.
many many thanks if you would like to help me.

1. i need to make 50 users with 50 different tables. every tables has 60 fields (IDs).
for example:
- user1 can see and edit table1 wich contains
* id 1 - form1 - form2 - form3 *
* id 2 - form1 - form2 - form3 *
* id 3 - form1 - form2 - form3 *
-----------------------------------
* id 60 - form1 - form2 - form3 *

- user2 can see and edit table2 wich contains
* id 1 - form1 - form2 - form3 *
* id 2 - form1 - form2 - form3 *
* id 3 - form1 - form2 - form3 *
-----------------------------------
* id 60 - form1 - form2 - form3 *

and so on.. 50 users and 50 different tables.
every user can only view and edit his own table.

2. I want only form2 and form3 to be editable for ALL tables... so they can edit only form2 and form3.

3. the admin account can see all the tables of all users.

4. at 7 AM an email will be sent but ONLY if form2 = 1. if form2 = 0 it won't be sent. (if form2 = 1 means there is a technical problem and the technician must know about that problem and solve it)

can somebody help me with that? the most important thing is #1.
i know its hard and a lot of work. but pretty please, help me if you can.
take care
 

DebbieS

DaDaBIK Guru
Have you tried to implement the changes outlined in this post? Once you have your users set up and the tables defined, then just add the corresponding table name to the appropriate field in the users table.

You should be able to set that up if you follow the instructions outlined above.

As for your question #4 - not a clue. sorry. maybe someone else can help.

 

samfingcul

New member
hi debbies and thank you for your reply.
please, if you already done that send me the necessary files. i tried to do it but i get errors, i'm not very good at php.
send me the entire script with those modifications at samfingcul@yahoo.com please.
thank you very much.
 
Top