It is possible to create as many different user types as you need and set up permissions for them. In addition it is possible to set permissions for single users, and also set up permissions based on a combination of the user type and permissions specific to individual users. For example, if you have a number of people who are assigned to edit different sections and you don't want them to be able to edit other sections you can set up a user type of "section admininstrator" and assign permissions to each user who is assigned this user type differently - there do not have to be any common permissions at all.
By default, only superadministrators have access to set up other users and alter permissions, however these permissions can themselves be granted to other user types by that superadministrator.
If you have permissions to edit the user types, the User Types menu option will appear under the User tab of the main admin menu.
This section is is essentially a list of the different user types and contains no other information, you can add to this list as you wish. Please note however that the basic types of "superadministrator" and "administrator" should NOT be edited here - you can set different permissions for them but the actual text should remain unchanged. Therefore all you should do here is add, edit and delete further types without touching the ones already set up. This is the easy bit, setting up permissions for these user types takes more work and that is covered in the next section.
Permissions
Editing permissions for existing users or user types, or adding/deleting permissions is all done from the permissions section. If you have the credentials to edit this section, you will find it works in exactly the same way as other sections, with a number of entries in the table, and add, edit and delete buttons.
It is also prudent to mention at this point - be careful when editing this section - back up your data first!
Permissions are applied to sections (database tables) by selecting that table and then setting up permissions on a per-table basis. Each record that you will add or edit contains the section (table) followed by four fields: Permission Type, Setting, Operator, Value.
The types of permissions you will be entering are things like:
- Setting up a table/section to be viewable by anyone (for display in the front end web site)
- Setting up a table/section to be editable by the administrator user type, or a particular user id.
- Setting up specific rules whereby only certain records in a table can be edited by certain users - sometimes based on the user that is currently logged in and not on a particular user id. For example, front end users need to be able to see and edit their own user data, but nobody elses.
Permissions work heirarchically through user types, and are based on white listing, starting with the following rules:
- Superadministrators and anyone higher up in the hierarchy are given full permissions to all tables automatically - thus the permission is passed without any further checking. This is why these user types should remain restricted to only the person in charge. This default permission allows the superadminstrator to set up permissions for administrators and other user types.
- Any other action by any other user type will *fail* unless a permission has been set up for it. The permissions table is like a white list of rules, and as soon as one passes the permission is granted. In this way you can set up multiple rules for a table for different user types. Until that match is made, no permission is granted. It is worth noting that any table of data without a general view permission will not even appear in the front end web site.
- As soon as one rule passes, the further lookup of permissions is cancelled. The user has met the criterea, the permission is given. There is no black list.
- Permissions should always be dealt with by superadministrators. Even administrators need to be given edit permissions as the administrator user type does not have any special criterea otherwise. This method of only whitelisting helps to keep data secure.
The fields in the permissions table
- Table - This relates to the specific section you are setting a permission for, and is called table as it is based on a data base table. This field contains a drop down list of all accessible tables (sections).
- Permission Type - Select from the list. You can select 'all' to give complete permissions for the data table/section, or select from add, edit, delete etc.
- Setting - either 'sysUserType' to specify a user type, 'id' to specify a user id, or the name of a field in that section/table that must equal something that you will specify in the value field shortly..
- Operator - '=' is the main value here, > or < are also supported however.
-
- Value - to apply this permission to a user type, now enter the user type (in text, the name of the user type - eg. administrator). To apply the permission to a user id enter the users id number in here.
Examples
The following example shows how to set up a basic view permission on a section/table to allow it to be viewed by anyone through the front end (main web site):
- Table - Select the table from the drop down list.
- Permission Type - select 'View'.
- Setting - leave this section blank.
- Operator - leave this section blank.
- Value - enter the number 1. This boolean value simply gives the permissions you have specified away to anybody. You should *only* use this for view permissions and never give edit permissions away to anyone in this manner.
The following example shows how to set up a permission on a section/table via user type:
- Table - This relates to the specific section you are setting a permission for, and is called table as it is based on a data base table.
- Permission Type - Select from the list. You can select 'all' to give complete permissions for the data table/section, or select from add, edit, delete etc.
- Setting - to apply this permission to a user type, enter the following text: 'sysUserType' (this will auto-complete as you start to type)
- Operator - to specity an exact match on the user type, which is what you will normally want to do, enter '='
- Value - now enter the user type (in text, the name of the user type - eg. administrator) - this will auto-complete from the user types table as you start to type.
The following example shows how to set up a permission on a section/table via user id (this is the id of the user in the users table):
- Table - This relates to the specific section you are setting a permission for, and is called table as it is based on a data base table.
- Permission Type - Select from the list. You can select 'all' to give complete permissions for the data table/section, or select from add, edit, delete etc.
- Setting - enter the following text: 'id' - this relates it to the id field of the user table
- Operator - to apply this permission to a user id, enter '='. You can also use > or < in here if it is to apply to a range of user ids, however note you cannot specify BOTH - only a single range with either > or <
- Value - simply enter the id of the user (from the user table).
You can now probably see how other field matches work - you can specify a field name in the 'setting' field, and '=' in the operator field and whatever it should be equal to in the value field. There is one further special function you can enter into the value field to denote the user who is currently logged in, and that is 'current_user()'. This way you can set a table up to be editable only in as far as records in that table are 'owned' by a particular user. One example of this is the user table itself, where if you are not an administrator, editing is only possible on the record of the user that is currently logged in. You can find this entry in the permissions table already, or here it is as example:
- Table - user
- Permission Type - edit
- Setting - id (this is the id field of the user table of course)
- Operator - =
- Value - current_user()
Note that together with an add permission of 1 with no setting or operator, it thus becomes possible for users to add themselves (ie register, sign up) and edit their own details but nobody elses, nor even see anybody elses data as you should not specify a view permission of 1 on the user table, but specify it in exactly the same way.
Hierarchy Of Permissions
Of course an administrator can see other users, and that is because a permission is set up for all actions on the user table by the sysUserType of administrator. It only takes one permission to evaluate correctly to give the permission - it works on whitelisting and one pass means that user is through. As a regular user will not have the administrator permission this match will never be made.