You are not logged in.
- Topics: Active | Unanswered
#1 2013-02-28 11:04:11
- corchi72
- Member
- Registered: 2010-12-10
- Posts: 232
I would like to reduce the visibility of data depending on the user.
sorry, but I wanted to know if your framework can filter all the data in a database distinct for each user or user role.
I would like to reduce the visibility of data depending on the user or User role.
It's possible?
thanks corchi
Offline
#3 2013-02-28 14:06:54
- corchi72
- Member
- Registered: 2010-12-10
- Posts: 232
Re: I would like to reduce the visibility of data depending on the user.
I created a client / server project with authentication, but do not know if the data filter is already active or do I develop it.
Offline
#4 2013-02-28 15:36:44
Re: I would like to reduce the visibility of data depending on the user.
Read the SAD pdf about security.
You have to change the TSQLAuthUser and TSQLAuthGroup tables content to reflect the proper user rights.
Once you have enabled authentication, remote access to the ORM CRUD actions will use the corresponding settings.
For more complex/complete control, you may define some inteface-based services, then set the per-interface or per-method security options, to allow/disallow each service for each user or group.
All this is available and centralized in mORMot, you do not have to check the rights in your code, just set the user rights, and the RESTful router will react according to it.
Offline
#5 2013-04-02 15:30:15
- corchi72
- Member
- Registered: 2010-12-10
- Posts: 232
Re: I would like to reduce the visibility of data depending on the user.
I'd like to reduce the visibility of the data as I go along with the selection of records. Below I have included an example that displays the filters that I were running automatically excluding records not interessati.
if the user User1 wants to see its jobs and its reports should not make a query master detail between jobs and reports to display only its reports but just type User1.Jobs.Reports.
It's possible to make this kind of behavior with your framework?
Table2
Jobs
id Name
1 job1
Reports
id Name
1 Rep1 (user1)
2 Rep2 (user1)
3 Rep1 (user2)
4 Rep1 (user3)
table of relationship between the job table and the table report
JobRepots
source Jobs
des Reports
Then there are the tables:
User
id Name
1 User1
2 User2
3 ....
table of relationship between the User table and the table report
UserRepots
source Users
des Reports
thanks corchi72
Offline
#6 2013-04-02 17:39:40
Re: I would like to reduce the visibility of data depending on the user.
Set the TSQLAccessRights CRUD rights to null for the table, then use a dedicated service (interface-based or method-based?) to retrieve the data.
In this service, force a WHERE clause with a " and UserID=? " clause.
Offline
#7 2013-04-03 07:28:35
- corchi72
- Member
- Registered: 2010-12-10
- Posts: 232
Re: I would like to reduce the visibility of data depending on the user.
ok I'll try and will let you know
Offline
#8 2013-04-11 15:12:50
Re: I would like to reduce the visibility of data depending on the user.
I'm new to Mormot and also looking into this. For example I have 2 users:
UserID Name
1 John
2 PeterAnd a set of reports:
ReportID UserID Name
1 1 Report 1
2 1 Report 2
3 1 Report 3
4 2 Report 1
5 1 Report 2Now when John asks for /root/report he must only see 1,2 and 3. Peter only 4 and 5.
When they Add a report the UserID must be set by the server, the user should have no idea about that.
Also they should not be able to modify or delete each others reports.
Can this only be done by creating custom service that responds to all requests for GET, PUT, etc.?
Offline
#9 2013-04-11 15:53:22
Re: I would like to reduce the visibility of data depending on the user.
See my answer above: http://synopse.info/forum/viewtopic.php?pid=7261#p7261
In short: yes, you need a custom service, otherwise you manage access to per table, and per CRUD operation for each user's group.
You can add a feature request as a ticket - http://synopse.info/fossil/tktnew - if you want to add an optional lookup field to ensure that any query on a table will use it.
But it may not be so easy to implement, and not worth it, since the method-based service is very easy to do.
Offline