PDA

View Full Version : ExtJS & PHP ACL combination.



Johny Joe
24 Feb 2010, 1:43 AM
Hello,

I have Phonebook dataGrid (a basic ExtGrid) to display content, complete with its CRUDS buttons: New, List, Edit, Delete, and Find. The fields are: No, Name, Number, Email, and Profile.

Now, my portal has 3 user groups: Admins, Users, Anonymous.

These groups can access that Phonebook dataGrid with these rules:


If Admins log-in:He can see/display all fields. He can see all CRUDS buttons.
If Users log-in:He can see/display fields: No, Name, and Number. He can see just List and Find buttons.
If Anonymous log-in: He can see/display fields: Name. He can see List button.


The solutions I can figure out are: Implementing all rules in the Phonebook JS file (hardcoded). Or I make 3 Phonebook JS files, each for those groups above.

These solutions have weakness: The rules are on the client-side, so it can be read easily. If I wanna add more user-groups, I have to create another JS file.

Are there any dynamic & safer solutions? (the rules stay on the server)

httpdotcom
24 Feb 2010, 6:11 AM
If you are using PHP to "render" the page, using some condition statements (if/else, switch) to load code blocks based on user group. Then, since the rules are acutally PHP-based, the user can't see them, and they stay on the server.

You could also put the rules in a config file or on a database, and retrieve them prior to processing the file.
Or, you could create the ruleset in a PHP SESSION based on the user's group, and then render the proper code based on the SESSION values.

djfiii
24 Feb 2010, 6:35 AM
I assume your grid is populated via JSON from the server? Just modify the logic on the server that returns the JSON response. If it's an admin that logged in, send back JSON for all fields and all CRUD buttons. If a user is logged in, send back JSON for specific fields and List/Find button. If it's anonymous, send back JSON for Name field and List button.

Johny Joe
24 Feb 2010, 7:22 AM
If you are using PHP to "render" the page, using some condition statements (if/else, switch) to load code blocks based on user group. Then, since the rules are acutally PHP-based, the user can't see them, and they stay on the server.

You could also put the rules in a config file or on a database, and retrieve them prior to processing the file.
Or, you could create the ruleset in a PHP SESSION based on the user's group, and then render the proper code based on the SESSION values.

SO the JS files are generated by PHP?


I assume your grid is populated via JSON from the server? Just modify the logic on the server that returns the JSON response. If it's an admin that logged in, send back JSON for all fields and all CRUD buttons. If a user is logged in, send back JSON for specific fields and List/Find button. If it's anonymous, send back JSON for Name field and List button.

You mean the Grid Interface is generated by JSON?
I use JSON only to populate data. The problem is how to control the Grid Interface to match with the logged-in user.

okay, did a little searching, I found this: http://erhanabay.com/2009/01/29/dynamic-grid-panel-for-ext-js/
any additions? thx for your help guys! ^_^

httpdotcom
25 Feb 2010, 8:29 AM
The files could be generated by PHP, or as you are building the page to be displayed to the user, you could add various code blocks (like record, column model, store and grid) based on privileges of the user.

zpet731
27 Mar 2010, 5:19 PM
I'm in the same boat as you I guess, and my thoughts were slightly different. First of the UI will not be changing dynamically thus feeding information with json at runtime might be slower and unnecessary.

UI's will differ in buttons and/or layout which can easily be done by extending classes. Thus you may have a simple grid which only can display data, probably have a search field as well. Another user might have CRUD operations thus buttons will be added to the base class etc.

Once these are defined in our development environment we would package and minify them and distribute them to the client in one single js file. In this way the base user wont receive any of the extended classes. The downside is you will need to create php scripts to build and package these for each user type.

Any other input on this topic would be very much appreciated? Maybe there are some implemented ideas floating around that might help us in this regard?