close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security Assist Rule User Is Owner ie user is logged in as the owner of the record

Thread began 3/23/2021 11:42 am by jo271221 | Last modified 3/25/2021 9:48 am by Ray Borduin | 29 views | 7 replies |

jo271221

Security Assist Rule User Is Owner ie user is logged in as the owner of the record

I am getting this error with my rule that I created to only allow the owner of the record to access the page ie.
Page url and log in credentials to duplicate error are in private message as well as FTP.
I have a backup of the helpergrouprules.php on the server.

/security_assist/helpergroupsrulesphp.php:41 Stack trace: #0 /homepages/26/d861213362/htdocs/outdoortradersmarket/webassist/security_assist/helper_php.php(466): WA_Auth_GetComparisonsForRule('user is owner') #1 /homepages/26/d861213362/htdocs/outdoortradersmarket/webassist/security_assist/helper_php.php(461): WA_Auth_RuleObject_EvaluateRules('user is owner') #2 /homepages/26/d861213362/htdocs/outdoortradersmarket/user-profiles/user-update.php(26): WA_Auth_RulePasses('user is owner') #3 {main} thrown in /homepages/26/d861213362/htdocs/outdoortradersmarket/webassist/security_assist/helpergroupsrulesphp.php on line 41

Line 41 is
case "user is owner":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['SecurityAssist_id']))?$_SESSION['SecurityAssist_id']:"") ."", 1, "".($WADAtbl_directorylistings_update->getColumnVal("id")) ."");
$comparisons[1] = array(FALSE, "".((isset($_SESSION['SecurityAssist_id']))?$_SESSION['SecurityAssist_id']:"") ."", 2, "".($WADAtbl_directorylistings_update->getColumnVal("id")) ."");
break;
case "Validated form":
$comparisons[0] = array(TRUE, "".((isset($_GET['invalid']))?$_GET['invalid']:"") ."", 2, "");
break;
}

Sign in to reply to this post

Ray BorduinWebAssist

You are referencing a Recordset in your rule... that won't work. What were you trying to do with this rule? Usually you save a session variable on login and compare that to an entered value in the rule.

Sign in to reply to this post
Did this help? Tips are appreciated...

jo271221

I want the page to only be accessed and redirect to login IF the logged in user's id matched the session ID. If that is not possible, I guess I want the content of the page to only be visible IF the id matches the session id. So I assume I need to do that on the page rather than a security rule,

Sign in to reply to this post

Ray BorduinWebAssist

It is fine to check session values in the rules, just not Recordset values which don't exist on all pages.

Sign in to reply to this post
Did this help? Tips are appreciated...

jo271221

I now have restricted access so that ONLY the owner of a record can update their info.

I added a show if rule on the page that actually only shows the content of the update page IF the session variable matches the userid (from the recordset) and apply another show if rule that if it does not match display a message "You may only update your own profile, if this is your profile, please log in"

I actually accomplished this and copied the code in the private message.
I copied the code from another website that we had done this on to my new page and adjusted recordset name. I did not find anything in the plug in interface to do this. (I did find a show if record is empty but not using the session variable.)

Is there something in the interface that I should be using or just copy and paste as I did below in private message.

Sign in to reply to this post

Ray BorduinWebAssist

That should work. Usually I filter the recordset with the userid from the session and that is how I restrict the access when I want a user to only be able to view their records. This is always done on the page and not in the security rules.

Sign in to reply to this post
Did this help? Tips are appreciated...

jo271221

Thank You.

Can you please send an example of filtering the recordset with the userid from the session and that is how I restrict the access when I want a user to only be able to view their records?

I would think this would be something that should be applied to most all update pages.

Sign in to reply to this post

Ray BorduinWebAssist

You just add a sql parameter to your recordset:

WHERE UserIDColumn = sqlparam

Then define the sqlparam to be equal to the value in the session.

Then you can redirect if the recordset is empty (since that means they don't have access)

Sign in to reply to this post
Did this help? Tips are appreciated...

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...