First mod: hiding budget or other sensitive info for certain users

So we are starting to use dotProject, mainly because our biostatistics consulting business (Instat services) is getting a lot of business, more projects, and things have become more of a challenge to manage (timelines, tasks, deliverables, etc).  We were awarded a project that would require several programmers and statisticians and we wanted to use dP to track the progress AND the budget used along the way.  Some of the people assigned to the project will be contractors, so our first concern was how to restrict access to these team members.

The ACL permissions system in dP is pretty good, based on phpgacl (I don’t know anything about that, but my quick take is it’s a decent role-based, section/item access control subsystem, of course otherwise the fine developers of dP would not have selected it).

So it was fairly straightforward, after learning the right location and screens to click into, to create a user with restricted access…that is to only be able to view and edit data related to a project they are assigned to.

The first thing we noticed was that certain views on projects and tasks display the target budgets ($) and actual budgets…we don’t want our restricted users to see this information.  Unfortunately, from what I could see in the ACL system, there was no way to set permissions down to the field level, only modules and module-items.

So I googled, looked around, and didn’t see anything out there (maybe I missed it), so I decided to start inspecting the code to see what could be done. 

My first thought was that it would logically make sense to restrict view permissions on sensitive information like budgets to certain user types (CEO, Director, Manager) and deny for others (Employees, Contractors).  I read in the dP forums that user type is purely an information attribute of a user/contact.  It is not used anywhere in the permissions.

I reviewed the roles and permissions used in the system and nothing really made sense to use, at least not as much as user type.  What I was after was to grant view rights to user types of Manager and above.

What I discovered is that this can easily be done by checking the user type and conditionally writing out the field or not.  So here’s what I did.

Projects view: \modules\projects\view.php

added line 9:
$fullaccess = ($AppUI->user_type <= 3);

modified line 243 (now 244) from:

<td class="hilite"><?php echo $dPconfig['currency_symbol'] ?><?php echo @$obj->project_target_budget;?></td>

to:

<td class="hilite"><?php
  if ($fullaccess)
  echo $dPconfig['currency_symbol'] + @$obj->project_target_budget;
  else
  echo $AppUI->_('####');
  ?></td>

And it worked! Since this has to be done in many places, for whatever we deem as “sensitive,” then I’d like to put that in a class or something so it can easily be called.

So, nothing terribly exciting or complex, but it highlights the beauty of opensource.  You can start with a great application and customize it to your needs.  I’ll try to share other mods we make as we go along.

March 30, 2007 - Posted by kmcital | dotProject | | 3 Comments