Search results, filter by access rights

Question

I have implemented search for my customers master successfully, and it searches the entire customer master.

I have agents logged in who are doing the searching. Customer accounts are associated with agents. I need to restrict the search to customers associated to the agent (who is logged in).

How do I do this?

Answer 1

You will need to scope your data and your sql statements to the current user.

For instance, let's say you have a table sales and a table users. Functionally, each sale belongs to a user. As such, the sales table should have a foreign key on it such as user_id that identifies, for each sale row, the row in the users table to which that sale belongs.

Then, when you search through sales, you should always add "where user_id =?" as the first filter of your sql statement, before the other dynamic filters, replacing? with the id of the current logged in user.

In this manner, all the filter criteria when searching the sales table will first be scoped to the current logged in user. If the filter criteria would otherwise pick up someone else's sales rows, it will no longer do that due to the user_id filter.

If you have sales that pertain to all agents in addition to those that are agent-specific, they would presumably have some marker, either an agent_id of 0 or perhaps NULL, or some other field that identifies them as searchable by all. This can easily be worked into that first WHERE fragment in the SQL statement with appropriate parentheses to keep it together:

WHERE (agent_id = ? or agent_id IS NULL) AND other dynamic filter etc
WHERE (agent_id = ? or agent_id = 0) AND other dynamic filter etc
WHERE (agent_id = ? or all_agents_flag = 1) AND other dynamic filter etc

Answer 2

Seems like you need to LEFT JOIN . Why don't you LEFT JOIN the tables that are in question. For ex: orders, sales_agents, customers...

Might just work.