How to setup Admin/User Account and it respective features in livecode

[lemodizon]

Hello Everyone,
I was trying to create a login stack where if the user is under the category of "admin" it enabled all the full access my application such as add, delete, edit and etc. however if it is under the category "user" it has limited access. I have code here, but it displayed all the data of my users. I just want to display the that the user who logged in is "admin" or "user" and can you teach me on how can I create a function or command for the full access/features for "admin" and "User". Hope you can help me. Thanks in advance.

Code: Select all

on mouseUp
   
   local lDatabaseFile
   global gDatabaseID
   
   put specialFolderPath("Documents") & "\DCMA.db" into lDatabaseFile
   
   if there is no file lDatabaseFile then
      Beep
      Answer Error "No Database Found!" titled " Dental Clinic Management Application"
   else
      put revOpenDatabase("Sqlite", lDatabaseFile) into gDatabaseID
      put the text of fld "UserNameFld" into tUser
      put the text of fld "PasswordFld" into tPassword
      put "SELECT Password FROM TBLUSERS WHERE UserName='" & tUser & "'"  into tSQLStatement
      put "SELECT UserName,Category FROM TBLUSERS" into tPrivilege
      
      put revDataFromQuery(tab,return, gDatabaseID, tSQLStatement) into tRecords
      put revDataFromQuery(tab,return, gDatabaseID, tPrivilege) into tUSerRights
      
      if fld "UserNameFld" is empty or fld "PasswordFld" is empty then
         answer error "Please fill up the login"
      else
         
         if tRecords = tPassword  then
            answer "your account type is" &tUSerRights
            go to stack "DashBoard"
            RevCloseDatabase (gDatabaseID)
         else
            answer error "Bad password"
         end if
      end if
   end if
   
end mouseUp

[richmond62]

HClevels.gif (2.93 KiB) Viewed 6567 times

-
Implementing this sort of thing would be quite useful BOTH in
LiveCode itself, and in standalones.

Or . . . even if a base stack were to be deployed with a Stack runner.

[richmond62]

HCmagic.png (10.6 KiB) Viewed 6546 times

-
https://archive.org/details/hypercard_userlevelfive

[Klaus]

Hi lemodizon,

the script looks OK, here some minor modifications:

Code: Select all

on mouseUp
   
   local lDatabaseFile
   global gDatabaseID
   
   ## Get used to the SLAH as a pathedlimiter!
   ## LC always uses this internally, ALSO for Windows pathnames!
   put specialFolderPath("Documents") & "/DCMA.db" into lDatabaseFile
   
   ## Avoid many IF THEN clauses by sorting things like this out:
   if there is no file lDatabaseFile then
      Beep
      Answer Error "No Database Found!" titled " Dental Clinic Management Application"
      exit to top
   end if
   
   put the text of fld "UserNameFld" into tUser
   put the text of fld "PasswordFld" into tPassword
   
   ## We have to check BEFORE we try to access the database!
   ## See above:
   if tUser = empty or tPassword = empty then
      answer error "Please fill up the login!"
      exit to top
   end if
   
   ## Do db stuff now:
   put revOpenDatabase("Sqlite", lDatabaseFile) into gDatabaseID   
   put "SELECT Password FROM TBLUSERS WHERE UserName='" & tUser & "'"  into tSQLStatement
   put "SELECT UserName,Category FROM TBLUSERS" into tPrivilege
   
   ## This should return only ONE record! 
   ## If it does not, maybe you have 2 entries for ADMIN?
   put revDataFromQuery(tab,return, gDatabaseID, tSQLStatement) into tRecords
   put revDataFromQuery(tab,return, gDatabaseID, tPrivilege) into tUSerRights
   
   if tRecords = tPassword  then
      answer "your account type is" && tUSerRights
      go to stack "DashBoard"
      RevCloseDatabase (gDatabaseID)
   else
      answer error "Bad password"
   end if   
end mouseUp

See my comments before the DB stuff, that should work actually.

Best

Klaus

[FourthWorld]

I hate to be the bearer of bad news, but modern password management for systems exposed to the internet is a non-trivial task.

For starters, the password must be stored in hashed form only, ideally double hashed with a good salt and a strong algo (SHA2 or SHA3).

This means that password recovery should be impossible, requiring password reset instead.

Our community could use a solid library for this.

Right now I'm exploring using Nextcloud's user management features for this, giving me all the above plus OAuth, federation, arbitrary user storage, group management, and more, all maintained by a vast global pool of developers.

If the experiments pan out as I hope I'll share the library.

[lemodizon]

HCmagic.png
-
https://archive.org/details/hypercard_userlevelfive

Hi richmond62,

Thanks for the site. This will help me.

[lemodizon]

Hi lemodizon,

the script looks OK, here some minor modifications:

Code: Select all

on mouseUp
   
   local lDatabaseFile
   global gDatabaseID
   
   ## Get used to the SLAH as a pathedlimiter!
   ## LC always uses this internally, ALSO for Windows pathnames!
   put specialFolderPath("Documents") & "/DCMA.db" into lDatabaseFile
   
   ## Avoid many IF THEN clauses by sorting things like this out:
   if there is no file lDatabaseFile then
      Beep
      Answer Error "No Database Found!" titled " Dental Clinic Management Application"
      exit to top
   end if
   
   put the text of fld "UserNameFld" into tUser
   put the text of fld "PasswordFld" into tPassword
   
   ## We have to check BEFORE we try to access the database!
   ## See above:
   if tUser = empty or tPassword = empty then
      answer error "Please fill up the login!"
      exit to top
   end if
   
   ## Do db stuff now:
   put revOpenDatabase("Sqlite", lDatabaseFile) into gDatabaseID   
   put "SELECT Password FROM TBLUSERS WHERE UserName='" & tUser & "'"  into tSQLStatement
   put "SELECT UserName,Category FROM TBLUSERS" into tPrivilege
   
   ## This should return only ONE record! 
   ## If it does not, maybe you have 2 entries for ADMIN?
   put revDataFromQuery(tab,return, gDatabaseID, tSQLStatement) into tRecords
   put revDataFromQuery(tab,return, gDatabaseID, tPrivilege) into tUSerRights
   
   if tRecords = tPassword  then
      answer "your account type is" && tUSerRights
      go to stack "DashBoard"
      RevCloseDatabase (gDatabaseID)
   else
      answer error "Bad password"
   end if   
end mouseUp

See my comments before the DB stuff, that should work actually.

Best

Klaus

Hi Klaus,

Thank you for the modification.

## Avoid many IF THEN clauses by sorting things like this out:
I think this is my weakness... in this forum i discovered techniques thank you.


How can I display one record only?

Code: Select all

## This should return only ONE record! 
   ## If it does not, maybe you have 2 entries for ADMIN?
   put revDataFromQuery(tab,return, gDatabaseID, tSQLStatement) into tRecords
   put revDataFromQuery(tab,return, gDatabaseID, tPrivilege) into tUSerRights
   
   if tRecords = tPassword  then
      answer "your account type is" && tUSerRights
      go to stack "DashBoard"
      RevCloseDatabase (gDatabaseID)
   else
      answer error "Bad password"
   end if   

[Klaus]

Hi Lemodizon,

How can I display one record only?

Code: Select all

put revDataFromQuery(tab,return, gDatabaseID, tPrivilege) into tUSerRights

returns the data from the SQL query as ONE record per line, so you can:

Code: Select all

put line 1 of tUserRights into tOnlyOneUserRights

Best

Klaus

[stam]

If the experiments pan out as I hope I'll share the library.

That would be truly excellent, thank you Richard...

[FourthWorld]

If the experiments pan out as I hope I'll share the library.

That would be truly excellent, thank you Richard...

Have you used Nextcloud?

[stam]

Have you used Nextcloud?

Hi Richard - no I haven't but it's not something i've considered using - running a server for the intended purpose is simply not going to be possible because of draconian information governance in the workplace, and while i can use hosted services for this, their enterprise version starts at €3,600/year, which is not a cost i can cover.

I think i misread your post and was thinking you may be referring to a library to cryptographically store passwords:

For starters, the password must be stored in hashed form only, ideally double hashed with a good salt and a strong algo (SHA2 or SHA3).
This means that password recovery should be impossible, requiring password reset instead.
Our community could use a solid library for this.

but looking back at your post you were probably referring to library to use NextCloud...

[FourthWorld]

HClevels.gif
-
Implementing this sort of thing would be quite useful BOTH in
LiveCode itself, and in standalones.

Or . . . even if a base stack were to be deployed with a Stack runner.

Where did HyperCard provide authentication?

[mtalluto]

As an alternative, LiveCloud has user management built in. The front-end, LiveCode Manager, provides a GUI to manage your users. APIs allow you to programmatically manage users.

[FourthWorld]

I replied to this a couple days ago, but logging in today I see my reply isn't here. I'll try again and hope this one sticks:

Have you used Nextcloud?

Hi Richard - no I haven't but it's not something i've considered using - running a server for the intended purpose is simply not going to be possible because of draconian information governance in the workplace, and while i can use hosted services for this, their enterprise version starts at €3,600/year, which is not a cost i can cover.p[/code]
Nextcloud is open source and freely available. I have five Nextcloud instances running right now, and have never paid any fee.

Perhaps you were looking at their enterprise service offerings? I would agree, the scope of those services seem outside your project's needs.

[quote[I think i misread your post and was thinking you may be referring to a library to cryptographically store passwords:

For starters, the password must be stored in hashed form only, ideally double hashed with a good salt and a strong algo (SHA2 or SHA3).
This means that password recovery should be impossible, requiring password reset instead.
Our community could use a solid library for this.

but looking back at your post you were probably referring to library to use NextCloud...

No, I was referring to things that can be done fully within LC. The messageDigest function provides access to modern hashes like SHA3, and the rest of mostly DB access, also provided right in LC.

But I think I had misunderstood your original post to be a client-server arrangement. On re-reading it seems this is only for single-user local installs, yes?

If it is client-server, Mark's suggestion of looking into LiveCloud is a good one.

If it's local only, depending on the sensitivity of the data you may have other security considerations beyond password access, such as the user's ability to copy the SQLite DB for use in any other tool that works with SQLite.

[stam]

Thanks Richard, I think you’re probably confusing me with the OP, or I’m confused. All I said was that it would be cool if you did share a crypto library - there was no question implied.

Mark - I am using LiveCloud and there is a lot to commend it. But there are limitations with the authentication system. Our users won’t use a an email as a username for one (work emails are far too long and doctors far too lazy). For another there are no assignable privilege sets/roles.

Not a big deal - my plan is is to create a small number of access level accounts/group accounts and assign them to users. I would maintain my own username/password and relevant account details in a different table, hard code the user account credentials in the app and if the local username/password passes the test it would log on via the appropriate group. A nice crypto library would be good for password storage - hence I expressed interest when Richard mentioned he may be sharing a library.