close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Access Rules Manager - Problem creating new rules using dynamic source

Thread began 11/18/2009 11:37 pm by afkrennie381204 | Last modified 4/27/2012 5:51 pm by Jason Byrnes | 2034 views | 9 replies |

afkrennie381204

Access Rules Manager - Problem creating new rules using dynamic source

Hi Jason/Webassist,

Please help me.

I'm having problems implementing an access rule which grants access to a DA order detail page according to an exact match between the session email AND the email field of the record displayed on the detail page. I need to use this in a "show region if" server behaviour applied to the visible page content.

(This is necessary for security purposes as the detail page displays unique customised products and nobody other than the initiator of the order should see it under any circumstances including by guessing the link if they are a member themselves i.e. "logged in to members" isn't sufficient and each order is associated with a single email address which = the unique username)

FYI, applying "show region if" using the "logged into members" preset works fine so everything is loaded OK. Things also work when I add an absolute email address e.g. test@test.com into the compare-to field versus the session email. But they DON'T work when I try to pick up the compare-to variable dynamically from the lightening bolt at all. I've been through all the help documentation and seem to be doing everything right. Sessions are activated on the page.

So...I figure this must be something you can solve for me! Can you tell me what code the rule should read for this please?

The code from HelpersGroupsRules.php is:
________________________
case "Order detail security":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['email']))?$_SESSION['email']:"") ."", 1, "".$row_WADAorders['email'] ."");
break;
_________________________

I've also tried using a php echo of the comparison field in a hidden field on the page (outside the "show if" region) named owneremail which results in the code below (again, no joy).

case "Order detail security":
$comparisons[0] = array(TRUE, "".((isset($_SESSION['email']))?$_SESSION['email']:"") ."", 1, "".((isset($_POST["owneremail"]))?$_POST["owneremail"]:"") ."");
break;
____________________________

Fingers crossed this a simple mistake to correct - hopefully you can send me a code correction (I've been working on this all day and can't see the wood for the trees any more).

But if this isn't easy to solve please can I ask you to open a support ticket and tell me what else I need to provide you with so I can send you more info in 1 go (unfortunately I'm unable to post the page this is applied to on a public forum)? I'm in Australia so any on-line conversation with USA isn't a practical option unfortunately.

Very gratefully yours as usual,

Ann

Sign in to reply to this post

Jason ByrnesWebAssist

The Access rules manager cannot use recordset or form data in creating the rules. instead of creating rules in security assist and using the security Assist show if behavior, you will to hand code If statements manually



For example, to compare the session against the recordset:

php:
<?php if(isset($_SESSION['email']) && $_SESSION['email'] != "" && $row_WADAorders['email'] != "" && $_SESSION['email'] == $row_WADAorders['email']) { ?>

...Do something...
<?php ?>




or for comparing the session to the owner email form element.

php:
<?php if(isset($_SESSION['email']) && $_SESSION['email'] != "" && isset($_POST["owneremail"]) && $_POST["owneremail"] != "" && $_SESSION['email'] == $_POST["owneremail"]) { ?>

...Do something...
<?php ?>
Sign in to reply to this post

afkrennie381204

Thanks a million Jason - got it all working OK now. Cheers, Ann

Sign in to reply to this post

Jason ByrnesWebAssist

you're welcome.

Sign in to reply to this post

drostenator386534

similar recordset problem

Hi,

I'm trying to only allow update access to records created by the person logged in, and me, the admin.

The manual code that seems to work is this:

<?php if($_SESSION[username] == $row_WADAallshows['recordcreator']) { ?>

Show Update / Delete Buttons

<?PHP
}
?>

I haven't figured out how to add "Or userlevel = admin" yet.

Is there anyway to save this in security assist manager as a rule? As discussed above, the $rows trip up the program. Unfortunately, that makes the manager not so useful, and I might ask for a refund.

Sign in to reply to this post

Jason ByrnesWebAssist

You cannot use recordset values in access rules. It is a limitation of the Access rules manager.


If you need to use a recordset value, you need to hand code the if statement instead of creating an access rule:

Sign in to reply to this post

keegan431775

Why don't you guys support recordset content?

Why don't you support recordset content? It seems I keep running into this problem. I doesn't make sense, how is this an effective tool if I have to handcode anything I want from a recordset, which is what I use 90% of the time! How do I go about getting a refund for this plugin? It has wasted much of my time and I'd like to get a refund.

Thanks.
Keegan

Sign in to reply to this post

Jason ByrnesWebAssist

using a recordset value for security rules is not the intended use of security assist access rules.

security access rules are intended to be used based on data stored in the user table for the user logging in.

Information for the logged in user should be stored in session variable at login time rather than looking it up in a recordset after the user has logged in.

In the Authenticate User Server behavior, go to the Session tab to select other columns from your users table to be stored in session variables when the user logs in.

then create the access rules in security assist to use the sessions instead of using recordsets.

It seams to me you are trying to use the access rules for something they are not intended to do.


if you would rather a refund, send your refund request to the sales department at sales@webassist.com

Sign in to reply to this post

keegan431775

It still doesn't work. It doesn't secure the page. It allows me to go on the page even when there are no sessions going.

I'll contact them for a refund.

Sign in to reply to this post

Jason ByrnesWebAssist

If you would like to look into the issue further, please provide more details about the rule that was created

a copy of the login page and the protected page would help along with the webassist/securityassist/helpergrouprules.php file.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...