Access rules based on Company/Tenant

[dankitchen]

I have a tenant table (company) where there may be a number of logins that belong to the company.  To accommodate this I added a relationship "tenant_code" column to the sthpw/login table.  I am trying to add access rules to make sure a login can only see data related to their parent "tenant".  My access rules below don't seem to be doing the trick at the moment.

<rules>
  <rule group="builtin" default="deny"/>
  <rule group="builtin" key="view_side_bar" access="allow"/>
  <rule group="project" code="linborough_dev" access="allow"/>
  <rule column="code" value="@GET(login.tenant_code)" search_type="lpc/tenant" op="=" group="search_filter" project="linborough_dev"/>
  <rule column="tenant_code" value="@GET(login.tenant_code)" search_type="lpc/lease" op="=" group="search_filter" project="linborough_dev"/>
</rules>


I also tried:

<rules>
  <rule group="builtin" default="deny"/>
  <rule group="builtin" key="view_side_bar" access="allow"/>
  <rule group="project" code="linborough_dev" access="allow"/>
  <rule column="code" value="@GET(sthpw/login['login', $LOGIN].tenant_code)" search_type="lpc/tenant" op="=" group="search_filter" project="linborough_dev"/>
  <rule column="tenant_code" value="@GET(sthpw/login['login', $LOGIN].tenant_code)" search_type="lpc/lease" op="=" group="search_filter" project="linborough_dev"/>
</rules>


To make sure I have the schema connection working I ran the following expressions in the script editor:

@GET(lpc/tenant['name', 'TEST TENANT'].sthpw/login.login)

@GET(sthpw/login['login', $LOGIN].tenant_code)


I also did try hardcoding a tenant code into the rule to see if it would work but no luck.  Just wanted to check if I am missing something simple or its a bug?

thanks!
-Dan

[dankitchen]

I should also add to this that I would ideally want this to work at the database level as may do queries from a tenant perspective in a custom layout and would want it to follow the security rules as well. So not sure if I should be usine a group="search_filter" or group="database" rule.

[remkonoteboom]

This is handled in

src/pyasm/security/access_manager.py

in the method alter_search

All the logic the handles this is in this method. The variable "values" lists the possible values that is attached to the search. At the end of this method, add the print statement:

print("sql: ", search.get_statement())

This will show you exactly what is going to be sent to the database after the security rules have been added.

[dankitchen]

So I added the sql print statement and generally the sql looked correct but I noticed a warning saying security failed on lpc/tenant. This made me wonder if I needed a security rule allowing access on the overall stype. Just wasn't sure as the rules would be stating:

-disallow everything
-all access to the project
-allow all lpc/tenant
-filter to only show lpc tenant that match the user's assigned tenant

This translates to the following rules:

<rule group="builtin" default="deny"/>
<rule group="project" code="linborough_dev" access="allow"/>
<rule group="search_type" code="lpc/tenant" project="linborough_dev" access="allow"/>
<rule column="code" value="@GET(sthpw/login['login', $LOGIN].tenant_code)" search_type="lpc/tenant" op="=" group="search_filter" project="linborough_dev"/>


I didn't expect to have the third statement allowing all on the sType, I had assumed it would conflict with the last statement's filtering

Thanks for your help!
-Dan