User Management

Users

This are the functions for registration and login:

  • Registration
  • Activation
  • Login, Logout, Send password
  • Account data
  • Admin user list
  • Login control
  • Auto login by cookie
  • Auto logout
  • Ini Parameter
  • Data access rights
  • Backend
  • Customizing

Registration

Registration

Resources:

  • page=register (js/example.js)
  • datadefID=k8loginregister

Functions:

  • username: unique
  • email: unique,
    but testmail not unique for testing
  • password (minlength=6)

To do changes, copy the folder "k8loginregister" from "masterdata" to your project folder.

More fields like address have to be added in datadefinition, extend properties: columns and k8form

Activation

Activation

The activation (page=activate) is placed in the index.php file.

Login, Logout, Send password

Login

page=login (index.php)

Functions:

  • Login
  • Logout
  • Send password

Account data

Mydata

Resources:

  • page=mydata (example.js)
  • datadefID=k8login

Adopte the appearance of the page with the following parameter in the datadefinition, masterdata/k8login.json:

To disable it all, set it to false:

  • upload
    • enabled : false
  • showdelete : false
  • showsetdelete : false
  • addfriends : false

Admin user list

User-list

Resources:

  • page=user_list (example.js)
  • datadefID=k8login

As admin you have the following functions:

  • edit user
  • delete user

Login control by page

Query Parameter, for example: page=item_list

For the page "item_list" a logged in user is necessary. _init_page.php, $pages['item_list']:

  • login=true

In _init_page.php the login status is checked. If the user is not logged in, the login page is displayed first. By succesful login the required page "user_list" is displayed.

The login control checks:

  • page needs login? Yes
  • user is logged in? No

-> Login page is displayed first!

Auto login by cookie

If the user hooks "remeber me" by login a cookie is set. The following files check the cookie, when the userID is 0 and execute an login:

  • index.php
  • masterdata/ProcessData.php
  • masterdata/ProcessMethods.php

Thanks to the auto login by cookie you are logged in even you are clicking the save buttons after hours of absence.

Auto logout

If no cookie is set the auto logout is active. Each Ajax call resets the timer. The timer "var pagetimer" is set in js/example.js to 20min.

By absence or inactivity your are logged out automtically (default: 20min).

Configuration in init.php

Parameter for user management
Parameter Description
domain_useractive 0 : direct after registration
1 : with activation mail
domain_activekey 1234 : with this factor the activation key is encoded, please put your own number in.
domain_readpassword 0 : off, the password is never read
1 : password read by user and admin
2 : password read only by user
3 : password read only by admin
domain_loginenabled 0 : login is disabled
1 : login is enabled
domain_registerenabled 0 : registration is disabled
1 : registration is enabled
3 : registration still in menu, but not yet available
domain_roles 1 : admin, all rigths for client
2 : superuser, all rights in database
3 : member, logged in user
5 : friends, added in my data
30: right groups, look social groups below
domain_rightmode 0 : Standard
1 : with clients
2 : with right groups
domain_testemail empty or example: user@yourdomain.com
Normally an email has to be unique in your application. For your own testing this email is an exeption.
domain_email If you use only your native language write please your own text here. If you use multiple languages, change it please in the masterdata/js/lang_sys_<language>.js file.
['activate']['subject'] activate your account
['activate']['content'] Dear member,
please activate your account: <a href=\"{{activation_link}}\"<activation link>/a><br>Greetings<br>{{domain_name}}
['sendPwd']['subject'] Your password
['sendPwd']['content'] Dear member,
your new password: {{password}}
Greetings
{{domain_name}}

Please edit the file masterdata/init.php.

Data access rights with RBAC

RBAC (Role Based Access Control) assigns the user to 1 or more roles. Roles restrict or authorize the access to tables and records. This rights can only be granted by using the login with php sessions. The RBAC is implemented in the PHP data access class. The access check is activated for an object in the datadefinition by setting "rightcheck=1". In the data table the column "creatorID" is added. Comparing the creatorID with the logged in user gives the result: own record or foreign record.

By opening the website the user is assigned to the role "0:public". His userID is also 0. By login the role is replaced by the default roles of the login table: k8login.roles="3,5". The userID is set. For each object or table, for each CRUD operation (create, read, update, delete) and role an access check is implemented.

This is the data access definition in the datadefinition (masterdata.rights):

  • CRUD Operation
    • Role-ID
      • Method for access check

Thanks to the roles and data access methods, you can easyly grant the rights of your CRUD operations.

RBAC with K8 Web Kit

Roles

$GLOBALS[domain_roles]:

  • roleID:
    • name

Users and role membership

table k8login:

  • userID
  • roles (roleID-1, roleID-2)
    comma separated roleIDs

Datadefinition / table

  • CRUD Operation
    • Role-ID
      • Method for access check

Methods

  • 0: not granted
  • 1: table.clientID=SESSION[clientID]
  • 2: granted
  • ...
  • 10: table.creatorID=SESSION[userID]

Roles

The roles are defined in:

  • masterdata/_init.php

Users and role membership

The initial roles are the default value in the columns array of the datadefinition "k8login". It can be changed in the user list by super user or admin.

Datadefinition / table

In the datadefinition the rights are written in:

  • masterdata
    • rights

Methods

The methods are checked before or by executing the sql statement.

CRUD Operation by PHP data access class
OperationSQL commanddata access function
CreateINSERTadd()
ReadSELECTgetEntries()
UpdateUPDATEupdate()
DeleteDELETEdelete()

By each CRUD operation the data access is checked in the correspondent data access function.

Roles
IDRoleComment
0publicuser not logged in
1adminall rights in a client
2superuserall rights in the database
3memberlogged in user
5friendsassigned in table: k8loginfriends
30rightgroupsassigned in tables: k8rightgroups, k8rightmembers
xotherscreate by yourself

masterdata/_init.php, domain_roles:

The available roles are defined in the "_init.php".

Roles by login:

Each user can get assigned to 1 or several roles. The default roles can be set in masterdata/k8login/k8login.json, property: columns / roles / mydefault in a comma separated string like "3,5".

Admin / user list:

Superuser or admin can change the user roles in the user_list.

Methods for the access check
NumberCheck method
0no rights
1access permission in this client: table.clientID=$_SESSION[clientID]
2permission granted
3user logged in: $_SESSION[userID]<>0
10table.creatorID=$_SESSION[userID]
11check friend k8loginfriends.friendID=$_SESSION[userID]
13checks membership in right groups
14checks the rights of the active right group (rightgroupID) of the user:
create: k8rightmembers.rightgroupID=$_SESSION[rightgroupID] and k8rightmembers.userID=$_SESSION[userID] and status>1
read: $table.rightgroupID=$_SESSION[rightgroupID] and k8rightmember.userID=$_SESSION[userID] and status>0
update: $table.rightgroupID=$_SESSION[rightgroupID] and k8rightmember.userID=$userID and ((k8rightmembers.status=2 and $table.creatorId=$userID) or k8rightmembers.status=3))
delete: same update
1000check parent table access rights
...programm your own check

By each CRUD operation the access rights are checked. If the operation by Create, Update or Delete is not granted, an error is returned. Reading a table can return an empty recordset, because of the missing rights.

By Read the results of the access check for Update and Delete are returned in advance like this:

  • in the datadefinitition:
    • masterdata.rightuser_create: true
  • by reading the recordset:
    • rightuser_update: true
    • rightuser_delete: true
Using SQL Exists() as access method

To check the user right by foreign tables the table can be joined or checked by "EXISTS()":


Default Rights

This are the default rights in the data access class (masterdata.defaultrights=true (default)).

access matrix, cell number=Access check
Operation0: public1: admin2: superuser3: member
Create0122
Read2122
Update01210
Delete01210

Rights from the datadefinition overwrite it. To allow the roles: public and member to read all records in the object, add in the datadefinition:

Access rights by master table

The access right of the table depend on another master table. In this case the master table needs to be checked for the access rights. This is declared in the datadefinition:

Link to master

The masterdatadefID declares the master datadefinition. The first right check is made by this datadefinition. The masterkey defines the colun of this table, which correspond to the master key column of the master datadefinition.

Access right: read

  1. first the acces rights of the master is checked
  2. The right of the master is heritated to the child by the method: 1000

Access rights: create, update, delete

  1. first the right "Update" of the master is checked
  2. The right of the master is heritated to the child by the method: 1000

In this example the the access for role 2 is granted to all CRUD methods. The role 3 herites the access from the master.

Using clients

Clients

Allow multiple clients to use your Web App. Each table has a clientID to differentiate the data from each other. Each Client has an own admin to govern his data and user. The user registers for 1 client. For each client he needs a different email.

Preparation

masterdata/_init.php:

The domain_rightmode==1 enables:

  • register: selection of the client
  • menu Admin: display "Clients"

Social groups (right groups)

Users

Social groups are part of many social platforms like facebook and others. Properties of a social group are:

  • Title
  • Description
  • Owner
  • Members
    • Admins
    • Observers
    • Members

The example role for social groups is 30. The method to check the rights in the groups is 14. Additionally the user has to choose 1 of his groups in my Data, in which he will be active now.

The group in the example "K8 Web Kit" was not created for easy posts but for bug reporting. If this group is active, the menu entry is available.

This is an easy example for an RBAC system. To complete it, the following functions need to be added:

  • users
    • group search with admission request
    • list with group membership or pending admission request
  • group admins
    • list of admission request with dialog to admit or deny

Preparation

masterdata/_init.php:

The domain_rightmode==2 enables:

  • my data: selection of the right group
  • menu Admin: display "Right groups"

Own data access methods

CRUD Operation and data access methods
OperationFunctionReturn values
CreatebRecordAccess()true / false
ReadbRecordReadPermission() $out[]:
  • "clause": sql clause
bRecordUDPermission() $out[]:
  • "select": sql condition
for
  • rightuser_update
  • or rightuser_delete
UpdatebRecordAccess()true / false
DeletebRecordAccess()true / false

bRecordReadPermission()

This function creates a clause which which determines which records are read.

bRecordUDPermission()

This function is called 2 times and creates the columns for the data access "update" and "delete":

  • rightuser_update: 0/1
  • rightuser_delete: 0/1

In masterdata/_init.php the variable $GLOBALS['domain_includes'] allows to include own PHP files to write your own methods:

  • [RBAC_Read]:bRecordReadPermission()
  • [RBAC_RUD]: bRecordUDPermission()
  • [RBAC_CUD]: bRecordAccess()

Backend

The data access in the backend is controlled by PHP with $_COOKIE and $_SESSION.

$_COOKIE

  • login

$_SESSION

  • userID
  • username
  • password
  • roles[]
  • dat_user[]

table: k8login

k8login

active

  1. 0 : registrated
  2. 1 : active
  3. 2 : blocked
  4. 3 : deleted

datadefinition=k8login, masterdata/k8login/k8login.json

Resources:

  • $_COOKIE
  • $_SESSION
  • table: k8login
  • datadefinition: 5
  • k8login.json

Customizing

masterdata/k8login.json

In the datadefinition under masterdata the include files are defined:

If you are changing it, copy it to your project folder and adopt the path.

k8login_validate.php

Adopte the validation to your needs.

k8login_afterinsert.php

Here you can prepare records for the new members.

k8login_beforedelete.php

If you have to delete records of this member, please do it here.

Parameter for user management
Parameter Description
domain_includes[] To extend the basic functionality, please use this include files:
['login'][] array("kitsamples/_kitsamples_login.php");
In the referenced php file you can enter your lines to extend your login.
['logout'][] array("kitsamples/_kitsamples_logout.php");
In the referenced php file you can enter your lines to extend your login.

Resources:

  • masterdata/k8login.json, masterdata.includes:
    • k8login_validate.php
    • k8login_afterinsert.php
    • k8login_beforedelete.php
  • masterdata/init.php, domain_includes
    • login
    • logout