0

I want to use Adminer Editor to allow users to change rows in one table. I use this function to limit users to see only the table I want:

function tableName($tableStatus) {
    if($tableStatus['Name']==$TABLE_NAME)
        return $TABLE_NAME;
}

But - I want the users to change only rows with a certain condition (for example: branch_id=10). Who can I do this?

zvi
  • 3,677
  • 2
  • 30
  • 48
  • [From the docs](https://www.adminer.org/en/extension/) it looks like `function fieldName` may be able to do this for you? I'm not aware of this software tho. You could also look overwrite [selectQueryBuild](https://github.com/vrana/adminer/blob/v4.7.1/adminer/include/adminer.inc.php#L617) and make the edits you need. – IsThisJavascript Dec 14 '22 at 10:11
  • Thanks, but with this you can hide the whole column, not by its value. – zvi Dec 14 '22 at 10:15
  • 1
    I wonder if this is a bit of an XY problem actually. By modifying the Adminer system you might prevent access to certain data via that specific UI. But it doesn't fundamentally alter users' access to the underlying data, if they have other ways of accessing the database. Obviously we don't know the context, but it _could_ be that what you actually want row-level security within the mysql database itself, so you prevent access _at source_. See https://stackoverflow.com/questions/51989192/mysql-how-can-i-gain-security-at-row-level for some details on that. – ADyson Dec 14 '22 at 10:23
  • I think the solution for you will lie in overwriting [sqlCommandQuery](https://github.com/vrana/adminer/blob/v4.7.1/adminer/include/adminer.inc.php#L247) . as per the docs, `Query printed in SQL command before execution`. But @ADyson makes a better point from a security point of view – IsThisJavascript Dec 14 '22 at 10:26
  • @ADyson I want this limit only to users with access to this UI, not on the DB itself – zvi Dec 14 '22 at 10:31
  • @IsThisJavascript this show the query before execution, but you can't change it then... – zvi Dec 14 '22 at 10:31
  • @zvi why, then? Surely you should care about access to the data in general? Why make restrictions only in one place? That doesn't seem to make much sense, unless you can explain? – ADyson Dec 14 '22 at 10:37
  • @ADyson I want the worker of branch X to see and update only thier rows. Some other users will see all rows. – zvi Dec 14 '22 at 10:51
  • @zvi that doesn't explain why you want to do it in Adminer only, and not across all usages of the database – ADyson Dec 14 '22 at 11:06

2 Answers2

0

You can use the following query To limit users to only modifying rows with a certain condition

UPDATE table_name
SET column1 = value1, column2 = value2, ...
WHERE branch_id = 10
Lone Wolf
  • 9
  • 3
  • Thanks but where do I change it? Also, I want that the users won't see those rows... – zvi Dec 14 '22 at 10:15
  • @zvi you asked about preventing an update, not preventing a read. But a similar principle would apply surely? e.g. SELECT * from table_name WHERE branch_id = 10 to get only those rows which are applicable to a certain branch. – ADyson Dec 14 '22 at 10:17
  • Ok but where do I enter this change? – zvi Dec 14 '22 at 10:18
  • using the SQL command editor in Adminer. – Lone Wolf Dec 14 '22 at 10:19
  • 1
    It looks like he wants to serve some software to people and wants to add limitations to it. Simply changing the query isn't possible like that. He will need to overwrite some of the methods. – IsThisJavascript Dec 14 '22 at 10:19
0

I found an ugly way to do it:

function selectQueryBuild($select, $where, $group, $order, $limit, $page){
    return "SELECT * FROM `TABLE_NAME` where BRANCH_ID=10";
}

Unless someone has a better solution, this changes all the query that will be done but it'll do the job.

zvi
  • 3,677
  • 2
  • 30
  • 48