Limiting access to records by user

edited April 2011 in Modules
Hello all,
I'm working on an application that needs different user roles for the backend. Does anyone have a tutorial or an example module that they'd be willing to share so that a noob like me can get some direction?

Basically, I have two user groups, admins and sales reps. Sales Reps will have access to Purchase Orders that their company has generated. There might be multiple users from the same company, so I'd like to restrict viewing and editing POs by company. I can accomplish this by adding a "company" field to the fuel_users table and my POs table, then extending the "list_items" method to restrict by the logged in users company. I can get around what I've done, by just typing "/fuel/sales_reps/pos/edit/record_id_to_edit" in the address bar. Which method can I extend to restrict editing records?

I realize that this should properly be a separate module, but I'm a little lost as to where to start. Do I need to create a new controller for this? Or should I use the fuel module's user model as an example? Any guidance is appreciated.

Thanks in advance.

Comments

  • edited 2:20PM
    You could do the check in the model's form_fields method to make sure the proper person is modifying the model information.
  • edited 2:20PM
    OK, I see how that would work. Thanks for the help.
Sign In or Register to comment.