I'm trying to get my head around what might be considered 'best practice' for the restriction of table views according to user/role.
For example, say I have two models - "User" and "Computer". The User is used for basic AAA. There is a column/property in every Computer object which identifies the UserId to which it belongs (a foreign key in the Computer table FKUID pointing to the UserId). With the out of the box CRUD model (assuming they have general access to the edit/update/new views, the user will see all Computer rows, and be able to update the UserId field.
What I am trying to achieve is to restrict the view of users to only a listing of Computer objects where the FKUID in Computers matches that of the currently logged in User. The User should not be able to update the FKUID field in Computers either, even for the objects they do have access to. This should also apply to any relational queries (ie from other models which relate to the same Computers table).
Where should I filter the data? How should I restrict access for updates?
then in the UserController you can get the computers of the user in the following way:
$user = GET THE CURRENTLY LOGGED USER
$conmputers = $user->computers; //This gives you the computers of that user.
So it is best to place this 'filtering' in the controller?
And in the view just show any field you want.
In the SQL, the FKUID is marked as mandatory. If I remove it from the update and new views, this causes a error. Is it best to also hard wire this to the user id in the controller?
