jdorn / php-reports

A PHP framework for displaying reports from any data source, including SQL and MongoDB
http://jdorn.github.com/php-reports
GNU Lesser General Public License v3.0
478 stars 235 forks source link

Access Control #39

Open jdorn opened 11 years ago

jdorn commented 11 years ago

Ability to restrict access to a specific report or directory.

This may be as simple as a PASSWORD report header or a PASSWORD.txt file in a directory.

It could also incorporate a more complicated user account system with fine grained permissions. It should integrate with existing enterprise systems (LDAP, OAuth, etc.) if possible.

At the very least, there should be the ability to hard code Admin account logins in the config. An admin account would be required to do things like:

pierzy commented 10 years ago

Dear jdorn, have you implemented anything to support the ability to restrict access to a specific report or directory? For me some quick hack would be enough. Currently I put the reports in separate directories which are identical apart from the actual sql files and have different people use different directories but this is not very practical... Thanks for your advice on this issue, Pier

jdorn commented 10 years ago

I have not implemented access control yet. I want to really plan it out and do it right.

How familiar are you with PHP? Adding a simple hack shouldn't be that hard.

First, create a simple login page that sets a session variable:

<?php
// Add password checks here if you want
if(isset($_POST['username'])) {
  $_SESSION['username'] = $_POST['username'];
  header("Location: index.php");
  exit;
}

// Spit out login form html here

Then, near the top of index.php, add a check to make sure the user is logged in and if not, redirect them to the login page:

<?php
//...
if(!isset($_SESSION['username'])) {
  header("Location: login.php");
  exit;
}

Finally, change which reports show up for each user. There are a couple ways to do this.

To stick with the separate directory approach, you can modify the PhpReports::listReports method https://github.com/jdorn/php-reports/blob/master/lib/PhpReports/PhpReports.php#L227 and change the directory it pulls from based on the username.

To give more fine grained control, modify the PhpReports::getReports method https://github.com/jdorn/php-reports/blob/master/lib/PhpReports/PhpReports.php#L415 and skip reports that aren't valid for that user. For example, you can put all the valid usernames as part of the report description and check for that.

if(!preg_match('/\\b'.$_SESSION['username'].'\\b/',$data['report']->options['description'])) return;
pierzy commented 10 years ago

Thanks for the superquick reply! Although I am by no means a php expert I implemented your suggestion nr.2 and everything works as expected. I only had to modify it slightly, namely at line 415: if(!preg_match('/\b'.$_SESSION['username'].'\b/',$data['Description'])){ continue; }else{ $return[] = $data;} I am using php-reports as embedded reporting engine for ProcessMaker and it works extremely well for my purposes. Thanks for the fantastic work!