How do I restrict a users access to an object? - model-view-controller

Hi Sitepoint wizard people,
Say we have an admin application that has multiple users and various objects. What I'd like to do is control access within the object itself - that is, it will behave one way for one type of user, and another way for other users. For example...
Director Mike can override Reception user Sally's registration date. One would assume that Mike could set any date both in the past or in the future. Then we have Payroll user Steve who can also modify Sally's registration date, but only for dates in the past up until (for example) one year ago. To spice things up, then we have the HR Manager Mary who can also amend Sally's registration date, but only for dates from precisely 23rd June 2007 up until one month from now...
How can I program the access restrictions so that on the front end, the form control is restricted with a min and max date, and in the backend, the validator checks the entered date to make sure it falls between those dates? I'd obviously need to be able to tweak the min and max dates for each user type. Other objects might have different parameters - maximum amount on a discount field or days of the week for overtime, for example.
I've asked this question in different ways, but each time I get bogged down by the implementation. I'm currently developing it as a php/MySQL web-based application, but thoughts and comments from other platforms very welcome! This time I'm looking at first principles, so it doesn't matter what your background is, if you have any ideas, please let me know! What do you even call this type of access control...?

Depending of how you application is based, you could ask for credentials at the start of the application and depending on who is requiring access, you could load a different xml file containing different settings.
As for security issue, make sure that the different xml files can't be reached by the users.
Edit:
Since you are using MySQL you could do something like this.
Let's say you have a table of users that has those fields : UserId, UserName, RestrictionId.
And with a Restriction table that looks like : RestrictionId, FieldName, FieldCondition.
This way, in your php app, when a user is authenticated, you can go fetch the correct "Restrictions" on the field and apply them in your code. If it happens that you have multiple fields that require different rules then you can simply add them with the correct RestrictionId.
This DB design is far from perfect, I'm pretty sure you can do better

Since, you are already using MySql db. You can maintain the UserRole Master table details in DB itself. Load the user role data based on login, then you can easily validate the changes made by the user accordingly.

Related

In QuickBase, is there a way to make one field have unique user access?

I'm the QuickBase Admin for my QuickBase app. In the app, there's a dashboard report that's used by individuals with viewer access; that way, they can see their students' data, but can't edit the app, tables, structures, etc.
My app's users want to be able to edit one field with notes on that row's data (each row is a student's data, so they'd want to use that field to add notes on that individual), but viewers don't have editing/data entry access tn any column. Is there a way for users to have editing/data entry access to one field, but not the others?
I know with Tableau and other BI software, this isn't possible, but I wanted to ask since my users asked.
Thank you for reading.
Sure you can.
Actually there are more ways to implement this needs.
My opinion better if you create a new table and make a relationship between the student data and a (new) Notes table and you will be able to setup edit rights eg by record owner.
An other way, you can allow the edit right for your users and you can make a restriction on field level. In this case you have to go through on each field and at the Advanced section you will find Permission - Restrict access by role.
Hopefully you do not have a lot of fields :)

Want to build an attendance management system using MEAN stack

I want to build an attendance management system using MEAN stack. The application should work like this -
There will be an admin who will control CRUD operations on User and as well as look into the Attendance of each user and have a detailed list of average attendance of the user per month and per year.
There will be a user page and when the user logs in i want to store the date and time in the client side and then send it to the database. So that based on the time and date the admin can see when the user has logged in and mark the user as present for that particular day.
I want to know how to store the date and time in the client side and then pass it onto the database for calculations. Also wanted to know that is it necessary to authenticate in the front end as well?
May be I am late, but I can try to answer your query.
You can store date and time as an object and pass it via request parameters to the backend to store it in the database.
You can take a look a the following on how to get date and time in Javascript How do I get the time of day in javascript/Node.js?

Microstrategy - How to apply a security filter just to certain report?

I need to apply a filter in some report for some users.
I was told that the best way to do this is a security filter but i discovered that security filters are applied to all the reports that the user open.
I need some kind o filter that filter an attribute on a user but just on some reports, not all.
example:
if report1{
if user1 then attribute = 1
if user2 then attribute = 2
}
let's say i have departments and chiefs of those departments.
It is not a matter of security but a matter of comfort.
I want to avoid the chief of a department to manually select (prompt) his department.
It would be more comfortable if the system would recognize the user and show the data of his interest.
There a different ways to solve this kind of scenario, depending on the level of flexibility you want to offer to your user and the effort you need to implement and maintain the solution.
The User Login way
No flexibility, low maintenance, more effort to implement
Use the User Login prompt. This is a system prompt (created by default MicroStrategy) that returns the user login. If you have a table with the data that a user can see like this:
UserLogin YourAttribute
user1 attribute1
user2 attribute2
user3 attribute3
... ...
You can create an attribute UserLogin to be parent of the Attribute you want to use as filter and then create a filter (User Login = User Login System prompt)that you will put in your report.
More detailed information can be found here.
Once implemented this solution will you need to maintain that new table and when the user run a report with that filter it will be able to see only his data. It's similar to a security filter, but now you can decide where to apply the filter.
Multiple reports for multiple prompt defaults
Flexibility, high maintenance, little effort to implement
For each user create a copy of that report with the proper answer as default.
Maybe you can create ten reports now, but if you need to modify that report tomorrow you will need to modify ten report or recreate again all copies with different prompt answers.
Anyway this is good for the users, because they can change the prompt answers if they need.
Using URL to answer prompts
Flexibility, low maintenance, variable effort to implement
Instead to run the report using MicroStrategy you can provide to each user a specific URL that, using MicroStrategy URLAPI, answer automatically the prompt.
Of course you need to prepare the URLs in advance or find a way to do it programmatically. This is a good solution if the user don't want to navigate the MicroStrategy web interface but just run the report.
Subscribe the prompt answers
Flexibility, low maintenance, medium effort to implement
Have the report with the proper prompt answer delivered to your user every morning (or when you want). Using MicroStrategy Distribution Services you can deliver a report or document to your user and for each user you can specify the correct prompt answers.
No user can receive the full report in their mail box or just a link to their history link, opening that link they will see the report with their data. Of course users (or probably you) will need to setup all the subscriptions required.
Final thoughts
In these case I prefer to leave flexibility to users and teach them how to use the product. Of course there are some people they have no time for this kind of things (usually C something levels), in that case the best this is to have the data delivered to their email.
I understand some of these options are not that straight forward to implement if you are new to MicroStrategy.
My suggestion: for now go with the subscriptions (if you can) or teach your users how to save their own copy of that report (in My Reports) with the prompt already answered (oh, yes, this was another option, but each user has to do it), every time they will open it now, the prompt won't show up (but if you change the original report they will need to do it again).
Let me know if you need more details.

How to show only permitted user_type fields on frontend

How would one go about creating a function/plugin for the following?
I have two user_types, FREE and PAID.
Both users have certain fields they can fill in. The PAID user has more fields they can fill in.
If a PAID user reverts back to a FREE user, how can only the FREE fields show on the frontend without showing the already PAID fields?
There must be a way to filter the fields per user_type? I'm very much a noob at writing code.
If anyone could explain and guide me, that would be great.
Cheers,
I have done something like this some time ago for something different. It was about showing content only to users with a specific user level.
You could register new user roles and check whether the current user (of the site, probably logged in) has the appropiate user role to view specific content.
I used is_user_in_role on the frontend and that works fine for me.
Concerning the PAID fields: Let the users fill them with content but add a notice like "Pay to show these fields publicly" on the frontend when he visits his own profile (or whatever you are building). This sometimes works very well for getting more paid users (make sure, you really have a benefit from those fields).

Laravel keep information about users on multiple sessions

I'm implementing my database. xD
Should I make changes, but I would like any further information about it, by those who are more experienced than me.
1) Should I make sure to keep a tracking for security reasons.
I would like to create a table "access", which contains the following fields.
id, id_user, browser, os, dates, ip.
What should I change, to ensure that each time the user login, is added a new record in this table.
If you have more tips on how to improve this point, I'd be grateful.
2) I would like to do so you can make the user choose whether the session of his choice or whether permanent or not.
I could only find a way to do it, that the session lasting for a certain period of time.
But I would like to implement a graft.
3) Should I implement multiple sessions, I'll explain.
The possibility that every user experience their sessions, such as facebook ago.
You can see how many active sessions exist and on what date.
I thought at a table like this:
id, id_user, queues, browser, os, dates, ip.
What do you think, you can do what?
If yes, what should I change in the structure of laravel to do this?
Thank you in advance who will help me.
I apologize for my English and the long text.
1) You should use also timestamp that logging table. You can use the built in updated_at and created_at timestamps. In your login function simply create a new instance of the model, populate the attributes and save() it.
2) There is a built in remember me behavior that you can use. More details can be found in the Laravel docs http://laravel.com/docs/4.2/security
3) Can you explain more of why you would want to implement multiple sessions? Why would this be useful for your application?
I hope my answer helps.

Resources