Access Rules Manager - Problem creating new rules using dynamic source

Hi Jason/Webassist,

Please help me.

I'm having problems implementing an access rule which grants access to a DA order detail page according to an exact match between the session email AND the email field of the record displayed on the detail page. I need to use this in a "show region if" server behaviour applied to the visible page content.

(This is necessary for security purposes as the detail page displays unique customised products and nobody other than the initiator of the order should see it under any circumstances including by guessing the link if they are a member themselves i.e. "logged in to members" isn't sufficient and each order is associated with a single email address which = the unique username)

FYI, applying "show region if" using the "logged into members" preset works fine so everything is loaded OK. Things also work when I add an absolute email address e.g. test@test.com into the compare-to field versus the session email. But they DON'T work when I try to pick up the compare-to variable dynamically from the lightening bolt at all. I've been through all the help documentation and seem to be doing everything right. Sessions are activated on the page.

So...I figure this must be something you can solve for me! Can you tell me what code the rule should read for this please?

The code from HelpersGroupsRules.php is:
________________________
case "Order detail security":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['email']))?$_SESSION['email']:"") ."", 1, "".$row_WADAorders['email'] ."");
break;
_________________________

I've also tried using a php echo of the comparison field in a hidden field on the page (outside the "show if" region) named owneremail which results in the code below (again, no joy).

case "Order detail security":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['email']))?$_SESSION['email']:"") ."", 1, "".((isset($_POST["owneremail"]))?$_POST["owneremail"]:"") ."");
break;
____________________________

Fingers crossed this a simple mistake to correct - hopefully you can send me a code correction (I've been working on this all day and can't see the wood for the trees any more).

But if this isn't easy to solve please can I ask you to open a support ticket and tell me what else I need to provide you with so I can send you more info in 1 go (unfortunately I'm unable to post the page this is applied to on a public forum)? I'm in Australia so any on-line conversation with USA isn't a practical option unfortunately.

Very gratefully yours as usual,

Ann

The Access rules manager cannot use recordset or form data in creating the rules. instead of creating rules in security assist and using the security Assist show if behavior, you will to hand code If statements manually



For example, to compare the session against the recordset:

<?php if(isset($_SESSION['email']) && $_SESSION['email'] != "" && $row_WADAorders['email'] != "" && $_SESSION['email'] == $row_WADAorders['email']) { ?>

...Do something...

<?php } ?>

or for comparing the session to the owner email form element.

<?php if(isset($_SESSION['email']) && $_SESSION['email'] != "" && isset($_POST["owneremail"]) && $_POST["owneremail"] != "" && $_SESSION['email'] == $_POST["owneremail"]) { ?>

...Do something...

<?php } ?>

Thanks a million Jason - got it all working OK now. Cheers, Ann

you're welcome.

Hi,

I'm trying to only allow update access to records created by the person logged in, and me, the admin.

The manual code that seems to work is this:

<?php if($_SESSION[username] == $row_WADAallshows['recordcreator']) { ?>

Show Update / Delete Buttons

<?PHP
}
?>

I haven't figured out how to add "Or userlevel = admin" yet.

Is there anyway to save this in security assist manager as a rule? As discussed above, the $rows trip up the program. Unfortunately, that makes the manager not so useful, and I might ask for a refund.

You cannot use recordset values in access rules. It is a limitation of the Access rules manager.


If you need to use a recordset value, you need to hand code the if statement instead of creating an access rule:

Why don't you support recordset content? It seems I keep running into this problem. I doesn't make sense, how is this an effective tool if I have to handcode anything I want from a recordset, which is what I use 90% of the time! How do I go about getting a refund for this plugin? It has wasted much of my time and I'd like to get a refund.

Thanks.
Keegan

using a recordset value for security rules is not the intended use of security assist access rules.

security access rules are intended to be used based on data stored in the user table for the user logging in.

Information for the logged in user should be stored in session variable at login time rather than looking it up in a recordset after the user has logged in.

In the Authenticate User Server behavior, go to the Session tab to select other columns from your users table to be stored in session variables when the user logs in.

then create the access rules in security assist to use the sessions instead of using recordsets.

It seams to me you are trying to use the access rules for something they are not intended to do.


if you would rather a refund, send your refund request to the sales department at sales@webassist.com

It still doesn't work. It doesn't secure the page. It allows me to go on the page even when there are no sessions going.

I'll contact them for a refund.

If you would like to look into the issue further, please provide more details about the rule that was created

a copy of the login page and the protected page would help along with the webassist/securityassist/helpergrouprules.php file.