CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

multi-tenant access using the same db

jmobilejmobile
edited July 2011 in Modules
I am reviewing what's the best approach to building an application that would use the same database for multiple clients. It's not necessarily different websites, but just have different users from different companies use the same backend with their own data. Has anyone done this before?

Comments

  • adminadmin
    edited 3:09PM
    What are you wanting the different users to manage (pages, navigation, custom modules, etc)?
  • strakerstraker
    edited 3:09PM
    I would also like to implement this. Basically for custom modules, something like a shopping cart model. Where you have one shopping_cart table, but multiple users can add to and view only their shopping cart, so the shopping_cart table would have a user_id column to limit access. How can I scope this based upon the user's login id?
  • adminadmin
    edited 3:09PM
    You would need to use the user's session to put limitations on your model's queries. For example, the list_items on your model may need something like this:

    function list_items($limit = NULL, $offset = NULL, $col = 'date_added', $order = 'desc') { $CI =& get_instance(); $this->db->where(array('my_table.user_id' => $CI->fuel_auth->user_data('id')) $data = parent::list_items($limit, $offset, $col, $order); return $data; }
  • jmobilejmobile
    edited 3:09PM
    Thanks!
  • strakerstraker
    edited 3:09PM
    That looks like it! Will give it a go. Thanks for the quick reply!
  • sid4itsid4it
    edited 3:09PM
    Well - this solves only partially.
    How about edit, delete?
    I login as normal user and actually do an edit on another user by guessing the id another user. It goes to edit page another user.

    Ex: fuel/mysimplemodel/edit/25
    35 is my userid ( I created 25 and hence can edit the record)

    now another userid 45 when he login to system if he accesses to
    fuel/mysimplemodel/edit/25 - he goes to edit page.
    how do we block edit and other options from illegal modifications to data.
    Only admin should have liberty to modify this.

    (Totally unsecure right)?
  • sid4itsid4it
    edited 3:09PM
    i over wrote form_fields - where i modify the edit form. Add the code as below

    $CI =& get_instance();
    $user = $CI->fuel_auth->user_data();
    if(($user['super_admin']== 'no')) {
    $this->session->set_flashdata('error', 'You do not have access to edit/view this account!');
    redirect(fuel_url('XXXXXXXX'));
    }
    if( (isset($values['userid']) && $values['userid'] != $user['id'])) {
    $this->session->set_flashdata('error', 'You do not have access to edit/view this account!');
    redirect(fuel_url('XXXXX'));
    }


    Can some one comment - if the code snippet is right and right place to be in?
  • adminadmin
    edited 3:09PM
    You are right about the edit and delete. You can overwrite those methods in the model like you suggested (for the form_fields), as well as the delete method on the model. You could also create a controller that extends the module controller and overwrites the methods you need. The pages, navigation, and blocks controllers in FUEL do this as well.
Sign In or Register to comment.