Forced filtering (aka database security)

General

kev     3 months ago

Firstly, this project is awesome.

I know this has been brought up previously but I want to add more to the topic. It would be very useful to have some more database security options. For example, if I made a notes app with multiple users, I wouldn't want Joe having access to Bob's notes. One way to do this would be forced filter views, where the filter is pre-configured and can't be changed by the user. This doesn't cover every case and it's not perfectly secure but it would keep things simple and intuitive.



Ken      3 months ago

I'm not an expert, but "row ownership" should do this for you, as explained in the link below:

https://blog.saltcorn.com/view/Full%20Post?title=Saltcorn%200.3.3%20-%20Row%20ownership%2C%20layout%20options%2C%20plans%20for%201.0.0


No row selected
No row selected
      3 months ago

Ah I should have given a different example.

Say I have several Companies, each one has Employees and Clients. How do I make it so Employees can only see the Clients that belong to their Company?

 

Thanks,

Kev


kev      3 months ago

Seems like some changes to the permission system might be needed for that


No row selected
No row selected
      3 months ago

Yeah that needs a totally different methodology. You might be able to do this by creating a view that shows only the clients of the employee's company. The SQL would be something like the line below if you were writing it in PHP but I don't know how to do that in Saltcorn. 

select * from clients where company in (select company from employees where employeeid=$loggedinuserid)


No row selected
No row selected
      3 months ago

I did figure out how to make a view like that (make a List view of the Clients, then embed it in a Show view of the Company, select clients.company) but there are still issues such as needing a way to load the Company into the view. Also probably isn't very secure.



Sign up to post a reply