[Cartoweb-users] Edition security (user can edit only his data)

Oliver Christen oliver.christen at camptocamp.com
Fri Jun 29 08:01:58 EDT 2007 

Hi Igor

I suppose you can simply add something like:

$attributesFieldsSql .= ", 'OWNER' ";
$attributesValuesSql .= ", $username";

just before the $sql = sprintf('INSERT INTO ... (~line 267 or so)


----- Original Message ----- 
From: "Igor Evdokimov" <igev at mail.ru>
To: "Oliver Christen" <oliver.christen at camptocamp.com>
Cc: <cartoweb-users at lists.maptools.org>
Sent: Friday, June 29, 2007 1:41 PM
Subject: Re: [Cartoweb-users] Edition security (user can edit only his data)


>> You can get the current user login with:
>>
>>        $sm = SecurityManager::getInstance();
>>        $username = $sm->getUser();
>>
>> but Im unsure where exactly you need to add the check. I suppose  after 
>> the user make a selection with the "edit_sel" tool. That  would be on 
>> server side, because you need to make the request  before knowing what 
>> editable object were selected (in  selectFeaturesByShape ?). And instead 
>> of returning the selected  features, return a boolean or something which 
>> you would treat on  client side to tell the user he has no right on this 
>> object. Maybe  with a userMessage or you can make something fancier with 
>> javascript.
>
>
> Thank You!
>
> I've done it.
>
> This way:
>
> in ServerEdit.php in selectFeaturesByShape()
> I've added this code in the beginning:
>
> ===================================
>  protected function selectFeaturesByShape($shapes) {
>
>         $sm = SecurityManager::getInstance();
>         $username = $sm->getUser();
>         $own = $this->getConfig()->editOnlyOwnData;
>         if ($own == true)
>             $ownstring = sprintf("AND owner='%s'",$username);
>         else
>             $ownstring = "";
> ...............
> ===================================
>
> in ./server_conf/my_project_name/ I've created file edit.ini :
>
> ===================================
> ; editOnlyOwnData = true; => user can edit only his own added data
> ; editOnlyOwnData = false; => user can edit only all editable data
>
> editOnlyOwnData = true;
> ===================================
>
> And added OWNER field in every editable database.
>
> It was easy with your help!
> I don't need to inform user that he cannot edit other user's data.
> I only need to select this user's own data.
>
> Now I must add code to automatically fill 'OWNER' field
> with user login name when new record created.
> I think it can be done in ServerEdit.php in insertFeature() function?
> Am I right?
>
> Best regards, Igor.
>

More information about the Cartoweb-users mailing list