Security for user vs. organizer

In our app, users can create events (in which case they are the organizer) and they can attend events (in which case we call them users).

We want organizers to have access to details about their event, but not details about events that other user’s organized. We have pages (e.g., event-details) for the organizer to view those details.

What’s the best way to set-up security for this at the page-level? Seems to me that we’ll want to search for the organizer of a particular event on that page and check to see whether it matches the user. Would be nice to include this from a re-usable element in the header, but then it’s not easy to lookup the particular event (I’d normally do so with a hidden value, but that seems insecure, so would consider trying pulling the event ID from the URL). Any other thoughts?

What’s the best way to set-up security for this at the database level? I presume there’s a way to set it up so that the organizer of an event has access to different details than users of that event, just by setting up different roles. Can anyone confirm whether this is the case?

Thanks!

1 Like

All users should be set up using the standard user accounts. You can then attach these users to roles under an organisation. The privacy settting can then be used to determine permissible action against these roles. Workflows can also be controlled by checking the users role.

Thanks for the quick turnaround. The main issue is that someone’s role/permissions need to change depending on whether s/he is the organizer or attendee of a specific event. I’m assuming we don’t want to create a separate profile for the same person (one of organizer, one when they are the attendee), but looking to folks like you for advice.

You could set up a field “permissions” against a user and this could be a list of “Permissions”, you could then assigned a number of different permissions.

Another approach is the that when you create an event, you could assign a list of organisers and check against that.

Up to you want works best for your use case.

1 Like

Is there a way to get the event’s object into a re-usable group on the page, in a manner that’s secure?

Details specific to our use case - We’re to use role based permissions that are based on a database table which lists each page on our site and a yes/no for whether people of each role are allowed access (similar to this). Furthermore, we want run the permissions through a re-usable element that we’ll put on each page, so that we only have to update the workflows in a single place anytime we want to make global changes.

The challenge we’re running into is that we need to figure out who is the event organizer for many of our pages that have a type = event. But, we can’t find a way to get that data into the re-usable element that’s secure.

I’m doing the later “create an event, you could assign a list of organisers”. How do I pass the event_id to the reusable element? I know I could hide an event_id element on each page and check against that, but that seems hackable. Any way around it?

@emmanuel, is there a way to pass the page’s object into a reusable element that’s secure?

1 Like