User Rights Issue, part II

[IRABYY]

The following are three subroutines you can use whenever
you need to create, update, uppend to or delete files
and/or directories in the environment where end user rights
are restricted to Read-Only:

************************************************************
FUNCTION GetFileAttribInfo(tcFilePath)
************************************************************

** Function Name : Get File Attribute Info
** Purpose       : Get file's in ? attributes.
** Description   : Wrapper around Win32API function GetFileAttributes()
** Parameter(s)  : Full path to the file/directory in ? as string.
** Return        : File attribute as Numeric (short integer).
** Side Effect(s): None.
** Notes         :  FILE_ATTRIBUTE_READONLY             0x00000001       1
**                  FILE_ATTRIBUTE_HIDDEN               0x00000002       2
**                  FILE_ATTRIBUTE_SYSTEM               0x00000004       4
**                  FILE_ATTRIBUTE_DIRECTORY            0x00000010      16
**                  FILE_ATTRIBUTE_ARCHIVE              0x00000020      32
**                  FILE_ATTRIBUTE_ENCRYPTED            0x00000040      64
**                  FILE_ATTRIBUTE_NORMAL               0x00000080     128
**                  FILE_ATTRIBUTE_TEMPORARY            0x00000100     256
************************************************************

IF TYPE('tcFilePath') # 'C'
   RETURN -1
ENDIF
IF !FILE(tcFilePath) .OR. !DIRECTORY(tcFilePath)
   RETURN -1
ENDIF

DECLARE INTEGER GetFileAttributes IN WIN32API String @lpFileName

RETURN GetFileAttributes(tcFilePath)
ENDFUNC
************************************************************

************************************************************

FUNCTION SetFileReadOnly(tcFile)
************************************************************

** Function Name: Set File Attribute Read-Only
** Purpose      : Sets file's attribute to Read-Write
** Parameters   : Full path to the file or directory as string.
** Return       : Success as Boolean
** Note         : API Function declaration :
**                    DECLARE SHORT SetFileAttributes IN win32api ;
**                       STRING lpFileName, ;
**                       DOUBLE dwFileAttributes
**
************************************************************

LOCAL llRet
tcFile = ALLTRIM(tcFile)

DECLARE SHORT SetFileAttributes IN win32api STRING 
lpFileName, DOUBLE dwFileAttributes
IF FILE(tcFile) .OR. DIRECTORY(tcFile)
   IF SetFileAttributes(tcFile, 1) = 1
      llRet = .T.
   ELSE
      llRet = .F.
   ENDIF
ELSE
   llRet = .F.
ENDIF
RETURN llRet
ENDFUNC
************************************************************

************************************************************
FUNCTION SetFileReadWrite(tcFile)
************************************************************

** Function Name: SetFileReadWrite
** Purpose      : Sets file's attribute to Read-Write
** Parameters   : Full path to the file or directory as string.
** Return       : Success as Boolean.
** Note         : API Function declaration (case-sensitive toward API function's name):
**                    DECLARE SHORT SetFileAttributes IN win32api ;
**                       STRING lpFileName, ;
**                       DOUBLE dwFileAttributes
************************************************************

LOCAL llRet
DECLARE SHORT SetFileAttributes IN win32api STRING lpFileName, DOUBLE dwFileAttributes
tcFile = ALLTRIM(tcFile)
IF FILE(tcFile) .OR. DIRECTORY(tcFile)
   IF SetFileAttributes(tcFile, 0) = 1
      llRet = .T.
   ELSE
      llRet = .F.
   ENDIF
ELSE
   llRet = .F.
ENDIF
RETURN llRet
ENDFUNC
************************************************************

Therefore, if you need to, say, create a table
and fill it with some data, here's what you can do:

****************************************************************
FUNCTION TransferData2NetworkDrive(tcDBF1, tcDBF2, tcCondition)
****************************************************************
&& Imagine that tcDBF1 = "C:\My Data\Table1.DBF",
&& and tcDBF2 = "Y:\Data For Users\Table2.DBF",
&& and tcCondition is "Field1 = [Condition]"
LOCAL llReadOnly

llReadOnly = .F. && Initially
IF BITAND(GetFileAttribInfo(ADDBS(JUSTPATH(tcDBF2)), 1) > 0
   llReadOnly = .T.
   IF !SetFileReadWrite(ADDBS(JUSTPATH(tcDBF2)))
      = MESSAGEBOX([Can't reset folder ] + JUSTPATH(tcDBF2) 
+ [ to Read-Write!], ;
                   16, "User Rights Issue")
      RETURN .F.
   ENDIF (!SetFileReadWrite(ADDBS(JUSTPATH(tcDBF2))))
ENDIF (BITAND(GetFileAttribInfo(ADDBS(JUSTPATH(tcDBF2)), 1) > 0)

USE (tcDBF1) ALIAS DBF1 IN 0 SHARED
COPY STRUCTURE TO (tcDBF2) WITH CDX
IF !(FILE(tcDBF2) .AND. FILE(FORCEEXT(tcDBF2), "CDX")
   = MESSAGEBOX([Can't create file ] + tcDBF2 + ;
                [ due to insufficient user rights or system 
malfunction!], ;
                   16, "User Rights Issue")
      RETURN .F.
ENDIF (!(FILE(tcDBF2) .AND. FILE(FORCEEXT(tcDBF2), "CDX"))

IF BITAND(GetFileAttribInfo(tcDBF2), 1) > 0
   IF !SetFileReadWrite(tcDBF2) .OR. !SetFileReadWrite(FORCEEXT(tcDBF2, "CDX"))
      = MESSAGEBOX([Can't reset ] + tcDBF2 + [ file to Read-
Write ] + ;
                   [due to insufficient user rights or 
system malfunction!], ;
                   16, "User Rights Issue")
      RETURN .F.
   ENDIF (!SetFileReadWrite(tcDBF2) .OR. !SetFileReadWrite
(FORCEEXT(tcDBF2, "CDX")))
ENDIF (BITAND(GetFileAttribInfo(tcDBF2), 1) > 0)

USE (tcDBF2) ALIAS DBF2 IN 0 EXCLUSIVE
SELECT DBF2
APPEND FROM DBF1 FOR (tcCondition)
FLUSH
IF _TALLY = 0
   = MESSAGEBOX([Can't update ] + tcDBF2 + [ table file ] + ;
                [due to insufficient user rights or system 
malfunction!], ;
                16, "User Rights Issue")
   RETURN .F.
ENDIF
DO WHILE USED("DBF2")
   USE IN DBF2
ENDDO
IF llReadOnly
   = SetFileReadOnly(tcDBF2)
   = SetFileReadOnly(ADDBS(JUSTPATH(tcDBF2)))
ENDIF

RETURN .T.
ENDFUNC

I hope this would help you to get around the user rights
restriction issue.

Regards,

Ilya

 

[johndan]

I was just wondering if I understand your post correctly and if it may apply to my issue. We run a VFP v5 app under Win2000 and some Windows NT servers. Some of our units are mix of win 95/98/xp. All users log on to network with Read, write,delete modify access to shared folder. The problem I have is that if I don't remove Windows functionality like run or explorer the user can get in and delete files and folders.

Your post suggests that I can give user read-only access to shared folder containing data and upon entering VFP app their rights can be changed to Read,write,modify for the time they are in the app?

Any help will be well appreciated.

 

[IRABYY]

johndan (TechnicalUser): Your post suggests that I can give user read-only access to shared folder containing data and upon entering VFP app their rights can be changed to Read,write,modify for the time they are in the app?

Not exactly. Not the User Rights, but only the status of the files which the program has to modify for this group of users. It does not mean that program "upgrades" the User into Power User or Admin, not at all. It just changes the access mode for the user for the particular files that are to be modified by the program, i. e. data entry, or data updating, or new data appending to the existing tables (like in my case), etc.

I hope this explains it.

Regards,

Ilya

 

[Mike Gagnon]

IRABYY

Ilya

I've seen this code somewhere (or something just like it). May I ask do you write this? Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first

 

[IRABYY]

Ilya

I've seen this code somewhere (or something just like it). May I ask do you write this?
Mike Gagnon


Yes, I did. You may try to find also "User Rights Issue" (in which you, I believe, also participated) and "User Rights Issue Part III". Note that this thread is titled "User Rights Issue Part II". You have probably seen it already back then, in Sept. 2002, whern I started this thread.

BTW, I just tried to find other parts of this triplet using Keyword Search - and could not! I ran search by "handle" and found only the first and this, second thread, the third one disappeared.

Regards,

Ilya

 

[johndan]

Ilya, thanks and I do understand....can you provide any insight to my situation. It is such a security flaw giving users so much access. Is this normal of VFP and its needs?

 

[Mike Gagnon]

Ilya

BTW, I just tried to find other parts of this triplet using Keyword Search - and could not! I ran search by "handle" and found only the first and this, second thread, the third one disappeared.

thread184-377885 (Part I), thread184-378441 (Part II), thread184-377349 (Part III).
You just need to click on your name and check where it says "I started x threads".

Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first

 

[IRABYY]

johndan (TechnicalUser) Nov 12, 2002
Ilya, thanks and I do understand....can you provide any insight to my situation. It is such a security flaw giving users so much access. Is this normal of VFP and its needs?

As a matter of fact, it is not security flaw but just another MS nuisanse! It's one thing to prevent illiterate user from deleting, say, Kernel32 - and I'm all for it. But giving a data entry clerk a program that cannot work because of the User Rights restrictions is something else, don't you agree?

Regards,

Ilya

 

[IRABYY]

mgagnon (Programmer): You just need to click on your name and check where it says "I started x threads".

Thanks for the tip, bro!

Regards,

Ilya

 

[Mike Gagnon]

johndan

can you provide any insight to my situation. It is such a security flaw giving users so much access. Is this normal of VFP and its needs?

Have you considered moving the data to a single directory on your server (I assume there is a server invloved), put a password access to it, and have VFP map the drive, which theoretically would bring up the password log in form? If its a server is it Novell or NT?
Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first

 

[IRABYY]

mgagnon (Programmer): Have you considered moving the data to a single directory on your server (I assume there is a server invloved), put a password access to it, and have VFP map the drive, which theoretically would bring up the password log in form?

That means creating separate, specific group of users with the specific set of rights for this directory - is it what you mean, Mike?

It's a solution viable enough for the corporate programmer. Even some of our customers' MIS (not all of them, unfortunately) did exactly that and it worked.

Regards,

Ilya

 

[Mike Gagnon]

Ilya

That means creating separate, specific group of users with the specific set of rights for this directory - is it what you mean, Mike?

Correct, I'm thinking (just thinking for now), say they use Microsoft Networking to access the server, we know how to programmatically bring up the Map Network drive window (probably can figure out how to input the values in the appropriate boxes and even move the window off screen), we also know how to click "ok" programmatically, and with a encrypted password, map to the drive on start-up and un-map on shut down. Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first

 

[IRABYY]

mgagnon (Programmer): say they use Microsoft Networking to access the server, we know how to programmatically bring up the Map Network drive window (probably can figure out how to input the values in the appropriate boxes and even move the window off screen), we also know how to click "ok" programmatically, and with a encrypted password, map to the drive on start-up and un-map on shut down.

No disrespect, but - too much of a hussle!

Well, if you are a corporate IT programmer - yours is most likely the way because you know what you are dealing with (i.e. MS Networking or Novell, and all the things accordingly).

But if you produce S/W for selling "off the shelf" so to speak - do you know in what environment your program is going to work? No, you don't! To accomodate it to any config imaginable is virtually impossible, even if the WS is invariably MS Windows (and then - of what flavor, which release, SP, etc.)

Create different versions for MS and Novell net? And, then, for UNIX, Linux, Mac, etc.? Then you will do nothing but maintenance for the rest of your life (within your current company, at least), and you will never ever be able to develop something new and interesting...

Therefore, IMHO, it's better to bypass all the Admin's "fences and trapdoors" by using OS resources (system functions), and create generic S/W, which's exactly what I've done. Thus, you give your customers the tool that does the job and, at the same time, requires minimum maintenance from your part (and less struggling with Sys. Admins ). That's my philosophy.

Regards,

Ilya

 

[Mike Gagnon]

Ilya

No disrespect, but - too much of a hussle!

Well, if you are a corporate IT programmer - yours is most likely the way because you know what you are dealing with (i.e. MS Networking or Novell, and all the things accordingly).

Corporate IT Programmer? Close, but yes I do not program for products that will end up on the store shelf. I usually accept contrats for specific environment where I know that the solutions will "fit" the environment, otherwise my day job is Director of IT/Programmer.
But as for "generic" solutions, you are probably right, nothing would generic enough to apply to all situations.
Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first

 

[IRABYY]

mgagnon (Programmer): Corporate IT Programmer? Close, but yes I do not program for products that will end up on the store shelf.

Neither do I, but I do the thing next to this: I am to give our salespeople the data retrieving and data merging programs they can sell - nationwide - to any customer as long as customer's WS's are running any version of Windows from Win95B to WinXP in environment from Thin Client to full-blown PC, for users from WS User to Network Administrator levels. And I never know in what environment and on what user access level my program will end up! And, even though I've become pretty good at customer support over the years, I still hate doing maintenance instead of development.

If you don't mind me asking - are you a Canadian?

Regards,

Ilya

Oh, to return the favor: my title is Lead P/A @ Corp. R&D dept.

 

[Mike Gagnon]

Ilya

If you don't mind me asking - are you a Canadian?

yes.
Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first

 

[IRABYY]

Mike,

It was a pleasure to have this discussion with you!
Looking forward to meet you at another threads!

To johndan (TechnicalUser), in reference to the user access issue:

Don't you worry, smart programmer (as, I hope, I am, he-he! ) would "lock down" the file on the exit or after being done with updating.

There's another little function of mine in the beginning of this thread for turning the files Read-Only (yes, I also need to protect some vital tables/files from unauthorized access).

Your job as a programmer is just to implement these three functions in proper place and time in the proper succession.

Thanks to everybody who participated in this thread!

Regards,

Ilya