Steven
|
| Posted: 10/19/2002, 7:28 AM |
|
I had a problem where users of the same security level could edit each others records,
I have added a user_id field into each db table, and on original input of the record i grab the session(UserID) into the $flduser_id , and then later on any edit pages i do a check in the befor show event as follows :-
$usernamecheck = dlookup("users","first_name","user_id=".get_session("UserID") );
if ($flduser_id == get_session("UserID")) {
$flduser_id = $flduser_id;
} else if ($flduserid < get_session("UserID")) {
print "sorry $usernamecheck but this is not one of your entries and so access to edit, is not available to you";
exit;
}
Can anyone see any problems with this , it does seem to work ok , and i have tried hacking the url to try to get into the page vai different url vars, but it seems to manage the problem ok
am i re-inventing the wheel here, or is this a suitable way to check who 'owns' the actual record entry, other than just a check for page security.
Steven Dowd
steven@dowd.info
|
|
|
 |
Steven
|
| Posted: 10/19/2002, 9:24 AM |
|
forgot to say
this was CodeCharge 2 php 4 + mysql.
Steven Dowd
|
|
|
|
Nicole
|
| Posted: 10/21/2002, 4:30 AM |
|
Steven,
The code looks like it should work. The only thing I suggest you is to use more compatible code like:
if ($flduser_id != get_session("UserID"))
{
echo " text ";
exit;
}
Note, that user_id field should exist on the form to make code work.
|
|
|
|
Steven
|
| Posted: 10/21/2002, 6:07 AM |
|
Nicole,
Thanks
that does make better sense, and i have implimented the change as suggested,
this does seem to work great, it just means capturing the user_id of the person that adds the original record, but locks that then as accessable by 'only' the owner in any public available 'editing' pages..
In admin, I have a page thats basically the same, but without the check, this then enables admin to access 'any' records.
Steven Dowd
|
|
|
|
|
