User Creation Permission

[Brandin]

We really made this more complicated than it had to be. Or maybe I just explained it horribly.

I used

Code:

admin_user.php

as a reference.

Basically, on the

Code:

admin_user.php

page, it grabs the permissions of a given user. However, we can tell it to get permissions of the current user by changing the value of

Code:

$userId

to the current users value. In return, it posts the current users permissions, and we use the remove permissions function in a select option format instead, thus allowing the current user only to make accounts with the same permissions it has at maximum.

I'm actually kinda proud of myself

[mudmin]

So let me just make sure we're on the same page...

When you assign someone level 50, you're also assigning them 40,30,20, and 10, right? Now that I'm thinking about this in terms of pages (instead of numbers, that makes sense). I use permissions slightly differently in my own custom apps. For instance Hotel Manager is not assigned the permission of Hotel Worker, even though the manager has more power than the worker. Sometimes I use the different permissions a person has to bring up different views of a particular page. Your way makes a lot of sense though. Great work.

[Brandin]

Mudmin,

What you are saying from what I understand corresponds with what I am doing, yes. The way I am setting up my permissions is the following:
-Everyone is a CSR, they have access to all the general pages - most uses will be created on this level
-Log Access, allows access to the personal

Code:

log.php

file which displays their system logs.
-User Management, allows access to

Code:

admin_user.php

Code:

admin_users.php

and

Code:

adduser.php

-Manager, allows access to all of my Database Tools, but for the entire system. So I have a log system, db management system, and integrity check system, on personal basis (so the personal pages pull results by

Code:

$userId

) whereas the Manager pages

Code:

SELECT *

with no

Code:

WHERE

clause.
-System Administrator, has access to the rest.

So in a sense, yes, I use this on page basis, so that everyone has basic access, and then if you need specific role access, you have added permissions.

I hope this makes sense. This is why someone who has access to certain spaces should be able to create someone at their level, because that truly could not hurt anything (theoretically). Because if they were to want to break something, at their level, they could do it from their account lol.

[mudmin]

Right. That makes absolute sense. My original answer actually just answered your question in a more literal sense. (anyone with a lower number). Your solution is the better way to go. Your way also accounts for if you start forking things to where one type of manager may not have access to certain pages below them. So I'm writing an app that has

Kitchen Employee
Kitchen Manager
Hotel Employee
Hotel Manager
Maintenance Employee
Maintenance Manager

The way you're doing it would work without caring if the maintenance employee permission level id happens to be higher than the kitchen manager's permission id.

I think you're on the right track.

[Brandin]

You got 'er! I didn't think I was doing that good but I guess I am So what I would do in your case is give your Employees general access, also assign this to your Managers in the same category and then provide the Manager permission level with the specific access they require. That way if you have a Kitchen/Hotel Manager swing, you can assign them both permission levels and it would permit them access to the specific pages they require

[mudmin]

I have mine more setup by the person. Some maintenance people have hotel worker access if they need to know if someone is staying in a room for maintenance. Some managers have at least employee access to other parts. That's kind of a nice thing with UserSpice that you can be as granular as you want.

[Brandin]

Now...can you think of a way to replicate this on the

Code:

admin_user.php

page in the Remove and Add permissions group? Basically, I need it to only show the current permissions that can be removed and current permissions that can be added that the user has access to.

E.g. I have John Smith who has access to:
CSR
Logs
User Management

When he views Jane Doe, who has full access (including SA), he only sees CSR, Logs and User Management in the remove permissions and nothing in add permissions, because he cannot remove permissions he does not have access to (MGR and SA).

Jane Doe on the other hand, who is SA and has full permissions, can view all permissions the current user has under remove permissions, and all permission the user can have added under add permissions.

Scott MacDonald is a CSR and User Manager, so when he looks at John Smith, he can see CSR and User Management under remove permissions, but nothing under add permissions.

I think I can do this by duplicating the permission function that is built in to

Code:

admin_user.php

and making a set specifically for the current user, but how can I enforce it to only echo the values that the editing user has that the current user has access to.

Thanks!

[mudmin]

Yep. I think you're on the right page for everything else.

The stuff you were doing was the absolute hardest part of the code for me to wrap my brain around...I had only been coding php for 3 months when I wrote all those functions.

I almost think it's going to be clearer to see what's going on if you just write queries at the to of the page before you make a function to do this (and if you make a function, put it in usersc/custom_functions.

What I would do, essentially, is write a query (or use the function) to generate all the checkboxes that the ADMIN has access to and then write a second query to find out which one the user has to actually make the checkmark in the boxes. I know that's not a ton of help, but that's where I would go with it.

[Brandin]

So I've established the following plan:

When the

Code:

admin_user.php

page is foreach(ing) for the

Code:

$permissionData

and performs the

Code:

in_array

function, I need it to also check if it is in the array for the current user. So if I add:

<pre>

Code:

foreach($currentuserPermission as $currentperm){
            $currentperm_ids[] = $currentperm->permission_id;
        }

</pre>


when it performs

Code:

in_array

I need it to also check if it is in the array of

Code:

$currentperm_ids

.

Any thoughts?

[Brandin]

I DID IT! IT WORKED! I added an extra

Code:

in_array

function on a secondary line. See at HasteBin:
http://hastebin.com/iloparayax.sm