Record Level Security

From Achievo/ATK Wiki

Jump to: navigation, search

ATK Howto: Record Level Security

Complexity: Advanced
Author: Sam Kapilivsky

List of other Howto's

Sometimes you want to allow your users to edit certain records but not others from the same node.

To do so, you should override the allowed() action in your node. You may optionally also use setFilter() to hide the records users may not edit.

Notice that just using setFilter will hide the records, but not provide security in case a user hand-crafts a URL to edit a record. In order to provide security you MUST code the allowed() function.

Per-record action security

The following code allows a user to edit only the records that belong to them: 

function allowed($action, $record="") 
{ 
    $user = getUser(); 
    if($action=="edit" && $record['owner']['id'] <> $user['id']) 
    { 
        return false; // not allowed if not your own record 
    } 
    // call base class method to perform default authorization in all 
    // other cases. 
    return parent::allowed($action, $record); 
}
Retrieved from "http://www.achievo.org/wiki/Record_Level_Security"
Personal tools
Navigation