Lower User Roles not allowed to create higher Role

GreatShakesBar · October 1, 2016, 7:21pm

Ive bought this up before. and what better time to ask, than when one of my clients till has been wrecked by Staff completely the fault of the owner. Luckily it uploads backups to me so I can fix the problem, but we need to prevent it in the first place.

The Owner of the bar has decided to just share his RFID fob with the staff rather than create their own, for reasons I have no idea. Im set up as an Admin on their till, but id like to be able to not allow the owner to give himself Admin rights. I really need to restrict what they can do.

I really feel for the interest of security, that a role that has been given access to the ‘Create User’ Navigation AMC cannot create a role that is higher than their own. Or at least only allow 1 Admin role, or even create a higher role called Super Admin with only 1 assigned Super Admin allowed.

Not everyone uses Entities, and for my situation I feel using the original Users and User Role system works best for me.

Matt

markjw · October 2, 2016, 12:35am

Definitely agree this needs to be implemented

JTRTech · October 2, 2016, 5:23pm

This also leads on to a more flexible way of prmitting parts of manage section.
We can link to a specific page of managment with custom menu nav button but would be much cleaner to have permissions for viewing the subsections of admin as a user roll feature than just mapping a button for a specific page.

GreatShakesBar · October 2, 2016, 5:41pm

Ah yeah mapping out the area where they could change the role types would work well!

JTRTech · October 2, 2016, 7:41pm

But user roll is same screen as creating/editing user so that wouldnt work for that senario…

GreatShakesBar · October 3, 2016, 1:24am

Ok… I thought of a solution, not sure how @emre feels about this?

Add User Action where you can pre determine the role.

A rule with AMC and action [?User Name] and the role already pre selected in the action in my case it would be ‘Employee’.

Matt

Jesse · October 3, 2016, 1:31am

You could just use SQL to create users.

GreatShakesBar · October 3, 2016, 1:41am

You could… if u know how

GreatShakesBar · October 3, 2016, 1:42am

Would that be a case of just dumping info into a table?

GreatShakesBar · October 3, 2016, 1:50am

Found this

I’ll look into that tomorrow

GreatShakesBar · October 3, 2016, 1:52am

I just need to know how to make a pop up to allow me to set the user name… and pin

Jesse · October 3, 2016, 3:25am

Creating users via SQL is super simple. I mean only 3 fields you need to create. PinCode, Name, UserRole_id Just find the role id that matches the role you want for the user and then insert that with the new user.

GreatShakesBar · October 3, 2016, 9:41am

I can see how it’s done using sql with the post above. But how do I make it set the name and pin with a field?

Matt

GreatShakesBar · October 3, 2016, 2:01pm

INSERT INTO [Users] ([PinCode], [Name], [UserRole_Id]) VALUES (000000, 'A Name', 4)

Obviously if I set these to

INSERT INTO [Users] ([PinCode], [Name], [UserRole_Id]) VALUES ([?Pin], '[?UserName]', 4)

That’s not gonna work right?

Jesse · October 3, 2016, 2:15pm

No you would use a {CALL:X} tag to call your SQL function and feed the variables into the script from that… Or just use the SQL Helper tags directly.

GreatShakesBar · October 3, 2016, 2:56pm

So before I just got busy, I was playing with Update Program Setting.

Am I on the right path here?

JTRTech · October 3, 2016, 3:02pm

You should be able to pass parameters directly into the script. I have done many times but only with the SQL within the JScript not directly into the SQL using handlers. However not tried [?prompt] inside a {CALL:X}…

However have a slight concern in that username and pin must be unique… @Jesse will the insert just not happen if there are duplicate values? Is the uniqueness a column parameter?

Jesse · October 3, 2016, 3:07pm

yes they need to be unique so you would need to check that first

JTRTech · October 3, 2016, 3:11pm

So I would personally look to do a JScript which will be more manageable to do a couple of selects to check user and pin are not already used and then to the insert if all is ok.

SQL in script is fairly simple…
Here is a sample for getting a program setting;

function getValue(settingName) {
  var qry = "SELECT [Value] FROM [ProgramSettingValues] WHERE [Name]='"+settingName+"'";
  var r = sql.Query(qry).First;
  return r;
}

the query is a string and then the ++ wrap the variables you want to put inline.

This update program setting maybe shows more into how you might do the unique user/pin verification;

function updateValue(settingName,settingValue) {
	var qry = "SELECT count([Name]) as CT FROM [ProgramSettingValues] WHERE [Name]='"+settingName+"'";				//--check if the ProgramSetting EXISTS
	var r = sql.Query(qry).First;
	if (r==0) 
		{
		qry = "INSERT INTO [ProgramSettingValues] ([Name], [Value]) VALUES ('"+settingName+"','"+settingValue+"')";	//--if ProgramSetting does NOT exist, insert a row
 		sql.ExecSql(qry);
		} else {
		qry = "UPDATE [ProgramSettingValues] SET [Value]='"+settingValue+"' WHERE [Name]='"+settingName+"'";		//--if ProgramSetting DOES exist, update the value
		sql.ExecSql(qry);
		}
}

GreatShakesBar · October 3, 2016, 3:27pm

I lost you at ‘fairly simple…’ lol

Joking, ill read into this when home cos I think thisll take me a while to get my head around it.

Matt