Hello,
I want to add links to the ADD pages in the “Custom File” section of my project. However, I only want these links to be visible to users who have the necessary permissions (e.g., the ADD permission).
Is there a way to achieve this?
Thank you.
For example, from demo2025 project, in one of your Custom Files, you want to display the link for Add page of orders table:
if (Security()->allowAdd(CurrentProjectID() . 'orders') && Security()->canAdd()) {
// your code to show the Add Page link
}
Note that you need to adjust that code to your own requirements.
Thanks for your reply.
Just…
If I want to add these links dynamically from an API using AJAX, will this security check code function correctly within the API context?
Let me be clearer…
I’m planning to add these ‘Add Page’ links dynamically via an API endpoint and AJAX. Will the provided security check (if (Security()->allowAdd(CurrentProjectID() . 'orders') && Security()->canAdd())) still accurately enforce permissions when executed within the API’s PHP code?
You may test it by yourself first, and you may post your code for discussion.
I’ve encountered a challenge while trying to display links (like Add, Edit, View pages) in my Custom Files based on the current user’s permissions for specific tables.
My initial approach was to use PHPMaker’s generated API endpoints with AJAX calls. However, I soon realized that PHPMaker’s API endpoints generally do not maintain the user session, which makes it impossible to directly check user permissions using the standard CurrentUserID() or CurrentUserLevelPriv() functions within the API context.
To work around this, I’ve implemented a custom method directly within each table’s generated class (e.g., ActivityCenter). This method allows me to explicitly check a user’s permissions for a given table within my Custom Files.
Here’s the method I added to the Table Level Events of each relevant table:
// Table level events
public function getUserPermissions(array $permissions): array
{
// Create AdvancedSecurity object if not already available
if (!isset($this->security)) {
$this->security = new \AdvancedSecurity($GLOBALS["Language"], $GLOBALS["session"]);
}
$reflection = new \ReflectionMethod($this->security, 'currentUserLevelPriv');
$reflection->setAccessible(true); // Make the protected/private method accessible
$results = [];
foreach ($permissions as $permission) {
$methodName = "allow" . ucfirst($permission);
if (method_exists($this->security, $methodName)) {
// Use direct allow methods if available (e.g., allowAdd, allowEdit)
$results[$permission] = $this->security->$methodName($this->TableName);
} else {
// For other permissions like Search, Admin, Grant, etc., use bitwise check
// assuming Allow constants are accessible (e.g., use EWR_ALLOW_SEARCH or similar if PHPMaker version is older)
switch ($permission) {
case 'Search':
$results[$permission] = ($reflection->invoke($this->security, $this->TableName) & Allow::SEARCH->value) == Allow::SEARCH->value;
break;
case 'Admin':
$results[$permission] = ($reflection->invoke($this->security, $this->TableName) & Allow::ADMIN->value) == Allow::ADMIN->value;
break;
case 'Grant':
$results[$permission] = ($reflection->invoke($this->security, $this->TableName) & Allow::GRANT->value) == Allow::GRANT->value;
break;
case 'Import':
$results[$permission] = ($reflection->invoke($this->security, $this->TableName) & Allow::IMPORT->value) == Allow::IMPORT->value;
break;
case 'Push':
$results[$permission] = ($reflection->invoke($this->security, $this->TableName) & Allow::PUSH->value) == Allow::PUSH->value;
break;
default:
$results[$permission] = false;
break;
}
}
}
return $results;
}
And I’m calling it in my Custom File like this:
// Example in a Custom File
// First, instantiate the table object (e.g., ActivityCenter)
// Assuming ActivityCenter class is available in the current scope or included.
// Global variables like $GLOBALS["Language"] and $GLOBALS["Security"] should be available in PHPMaker's custom files context.
$permissions = ['Add', 'Delete', 'Edit', 'List', 'View', 'Search', 'Admin', 'Grant', 'Import', 'Lookup', 'Push', 'Export'];
$ActivityCenter = new ActivityCenter($GLOBALS["Language"], $GLOBALS["Security"]); // Pass Language and Security to constructor
$userPermissionsActivityCenter = $ActivityCenter->getUserPermissions($permissions);
// Now you can check permissions:
if ($userPermissionsActivityCenter['Add']) {
// Display Add page link
echo '<a href="ActivityCenterAdd">Add New ActivityCenter</a>';
}
if ($userPermissionsActivityCenter['Edit']) {
// Display Edit page link
// echo '<a href="ActivityCenterEdit/' . $someId . '">Edit ActivityCenter</a>'; // Example
}
// ... and so on for other permissions
My questions to the community are:
- Is this a robust and recommended approach for checking user permissions in Custom Files, given the session limitations with API calls?
- Are there any potential issues or edge cases I might be missing with this implementation, especially concerning security or performance?
- Are there simpler or more “PHPMaker-native” ways to achieve this without adding the method to each table class individually?
Any feedback, suggestions, or alternative solutions would be greatly appreciated!
Thank you!
You pass $GLOBALS["Security"] to new ActivityCenter() so if (!isset($this->security)) may be false. You may try to move all code to your Custom File, just replace $this->TableName by "ActivityCenter" (change the letter case to match the real table table), then you don’t need to customize the table class.