User with custom permissions
10 posts by 2 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: April 24, 2019 (RSS)
By andreasml - April 10, 2019
Hi,
I have created a medical registry, where doctors from certains hospitals log in and register their patients. Every doctor has a specific username / password. As i must allow each doctor to have access on the records of his own patients only, I have given each one the Author access level. However, I would like each doctor belonging to a specific hospital to be able to have access on the records of the other doctors of the this hospital. I wonder if i can do this through the Website Membership, or I need a custom-made modification of the plugin.
Kind regards,
Andreas Lazaris
By gregThomas - April 12, 2019
Hey Andreas,
Am I correct in understanding that the doctors log into the CMS using their credentials, or are you using the Website Membership plugin to let doctors log into a custom built interface on the main website?
If the doctors are logging into the CMS, you could add this custom filtering using a plugin. You'd need to use the plugin hook list_where to add a custom MySQL where statement that will only return their own records or doctors from the same hospital.
Cheers,
Greg
PHP Programmer - interactivetools.com
By andreasml - April 13, 2019
Hi Greg,
This is correct, they login into the CMS. Could you please be more explanatory with this plugin hook?
Regards
Andreas
By gregThomas - April 15, 2019
Hey Andreas,
Here is an example of how to use the plugin hook. This plugin would filter out all accounts that have the email address test@example.com.
<?php
/*
Plugin Name: Where Filtering example
Description: Where example filtering
Version: 1.00
CMS Version Required: 3.00
*/
addFilter('list_where', 'filterWhereExample', null, 2);
function filterWhereExample($accessWhere, $tableName) {
/* only check the accounts section */
if ($tableName == 'accounts') { return $accessWhere; }
$accessWhere .= " AND `email` != 'test@example.com' ";
return $accessWhere;
}
This is example code, so you'll need to modify it to create the hospital filter required for your code base.
If you send an email to consulting@interactivetools.com we can give you an estimate for building the plugin for you, if that's something you'd be interested in.
Cheers,
Greg
PHP Programmer - interactivetools.com
By andreasml - April 19, 2019
Hi Greg
Thank you for your reply. I am not quite sure how to use the plugin hook. Here is what I have done:
I have created a php file named whereFiltering.php containing the content you sent me and uploaded in the Plugins directory. Then I activated in the CMS Setups>Plugins. But when I try to run anything from the menu the following message appear
MySQL Error: Unknown column 'email' in 'where clause'
I am pretty much sure that the procedure i follow is not correct. Please could you give me some more advice on how I should do this plugin hook.
Furthermore, I would like to clarify, as I described in the previous messages, that I need to give the permission to certain doctors of one hospital (let's say for example the Head of the department), to have access (viewing and editing) on the records that have been inserted by the other doctors of the same hospital. Currently, I have given an Author permission to every doctor (including the Head of the department), and as a result each doctor can have access only on the records he has created. Of course the same happens with the Head of the department which is something I would not like as I explained before.
Thank you again for your support. Kind regards,
Andreas Lazaris
By gregThomas - April 22, 2019
Hey Andreas,
You've followed the correct procedure, but you'll need to update the MySQL statement in the example code so that it only displays records from doctors from the same hospital as the one currently logged in. You'll also need to update the if statement that checks what the current table is so that the where statement only runs on the sections required.
If you'd prefer, we could set up this plugin for you. If you send an email to consulting@interactivetools.com, we can estimate the cost for us to build it.
Cheers,
Greg
PHP Programmer - interactivetools.com
By andreasml - April 23, 2019
Hi Greg
I have made the following changes in your script:
<?php
/*
Plugin Name: Where Filtering example
Description: Where example filtering
Version: 1.00
CMS Version Required: 3.00
*/
addFilter('list_where', 'filterWhereExample', null, 2);
function filterWhereExample($accessWhere, $tableName) {
/* only check the accounts section */
if ($tableName == 'registry_accounts') { return $accessWhere; }
$accessWhere .= " AND `hospital` != 'ΠΓΝ Αττικόν' ";
return $accessWhere;
}
- Changed the section name "accounts" to "registry_accounts" which is the actual name of the section in the CMS.
- Changed the field-name "email" to the field-name "hospital" which represents the name of the hospital.
- Entered a specific value on this field-name; instead the "test@example.com", I have put "ΠΓΝ Αττικόν", which is the name of one hospital.
What happens now is that all the records entered from the "ΠΓΝ Αττικόν" hospital are filtered out, which means that they are not included in the section's list. Actually, I would like the opposite, i.e all the records from the "ΠΓΝ Αττικόν" hospital to be included in the section's list.
And another, equally important issue, is that instead inserting the specific name of the hospital (i.e. "ΠΓΝ Αττικόν") to let the name of the current user's hospital to be inserted by default. I have tried to put something like
$accessWhere .= " AND `hospital` != '<?php echo $CURRENT_USER['hospital']; ?>' ";
but, it does not work.
Any suggestions would be much appreciated. Kind regards,
Andreas
By gregThomas - April 23, 2019
Hey Andreas,
I think you're close to having this working. The reason the plugin is returning everything but the hospital ΠΓΝ Αττικόν is that the access where contains a '!'. You need to update the statement to this:
$accessWhere .= " AND `hospital` = 'ΠΓΝ Αττικόν' ";
In a MySQL Where statement != means does not equal, removing the ! will return all the matching results instead.
I think the reason your second statement doesn't work is that you're echoing (displaying) it instead of adding it to the string. Try doing this instead:
$accessWhere .= " AND `hospital` = '".mysql_escape($CURRENT_USER['hospital'])."'";
The period tells the code that it needs to append the variable to the current string. I've also added the mysql_escape function, which will ensure that the hospital name is safe to pass into MySQL.
PHP Programmer - interactivetools.com
By andreasml - April 23, 2019
Hi Greg
Thank your for your reply.
It worked partially.
The first part 100%. The "!" was the reason. However, the filter applies to all users including editors which is unwanted. Actually, I would like some of the users to be able of using this feature (as for example some users with an access level of authorship with this extra capability). Definitely, the editors and the administrator(s) should have access in all records.
As it regards the second part, it seems to me that it does not work. I changed the "mysql_escape()" to "mysql_escape_string()" or "mysql_real_escape_string()", but neither worked. Both give me a "Call to undefined function" message. I found out that these expressions are not supported by PHP 7.0 which is required for CMSB 3.5. I understood that something might be done with mysqli instead mysql, but unfortunately it is really deep sea for me.
Could you give me an extra hand or I should email for a custom-made plugin?
Thanks again
Andreas
By gregThomas - April 24, 2019
Hey Andreas,
The mysql_escape function didn't work because the current user variable doesn't exist for a CMS user. You need to load the user like this:
$cmsUser = getCurrentUser();
$accessWhere .= " AND `hospital` != '<?php echo $cmsUser['hospital']; ?>' ";
If you could email consulting@interactivetools.com, we can look into creating a custom plugin for you. I've got some good ideas on how we can add the custom filtering depending on the account type that shouldn't take too long to integrate.
Thanks,
Greg
PHP Programmer - interactivetools.com