Single user + Bypass permissions to view a page

I’ve looked over the docs for this, but can’t seem to find a way of doing it.

The current setup:
I have a dynamic page that contains dynamic data (view.php?id=[id]) that a user can submit. The data here is fetched from a database, and only shows data matching the query params.

In the said query, is a user ID of the person who created the entry in the database originally.

The problem:
Right now, anyone can go to view.php?id=[id]. I would like to make it so the only people that can access an ID is the person that originally submitted the data, by matching their current ID to the one from the query, and anyone with a bypass permission (An admin group, which is already in use on other pages).

How would I go about doing this? I can use the Security Provider Enforcer to enforce groups, but not single users and a group by the looks of it.

Personally I wouldn’t put the user Id in the url you can retrieve the id in the actions using security identity that would solve the id editing then have a second condition on the query with a way of getting admin perms something like checking if a users role in the database is admin etc

The ID in the url is not the user ID, it’s the ID of a ticket.

As such, the only people that should be able to see the contents should be the person that made it, and admin users.

Ah I misunderstood thought it was a user Id in that case retrieve the ticket id then in the action have the identity to get the user id. In the database have a created by user id column then check the security identity against the created by user column

I might be misunderstanding what you are saying, but I’m not sure how that would work/resolve this issue.

The database contains multiple columns, but the two important ones in it are the users ID, and ticket ID.

I’m already getting the user ID via other queries that run on the page, but I don’t know how I would create a server action to redirect them to another page as soon as they load up the page if they do not match the user ID in the data already retrieved, this would also have to run before anything else to make sure nothing can be seen while it loads too.

I’m sure there’s a simple way of doing it like with the Security Provider Enforcer, but I can’t figure it out

I’m not sure it’s possible with the enforcer it might be but if it’s not then you should be able to if the query fails in the action returns null etc use the redirect or browser to redirect the user I believe I’m still learning myself so there maybe better options

Have a look at
https://docsdev.wappler.io/guides/getting-details-of-the-logged-in-user-and-binding-them-to-your-page

I already know about binding data and things, but is the way @Sorry_Duh the best way of going about doing this?

Add a condition to the query that has something like TicketUserID = Identity. This will then only return the record if the ID if the person on the ticket matches the ID of the person logged in.

Have an assignments/tasks table with a couple of colums such as the ticket uid and the user uid, date, and status, etc, if an assignment doesn’t exist use a ternary operator and browser redirect to dump the user to an error page or back to their default landing area/dashboard etc…

So I ended up trying @sitestreets idea, which for the most part seems to be working in the sense that the data is not displayed if you are the incorrect user, however, the Redirect just doesn’t seem to work. Am I missing something here? Or does the condition not work in the sense that if it doesn’t match, rather than going to else it just stops?

I don’t think a node redirect action will work since you are calling it via xhr, not a direct page load.

I just set a redirect path using a set value with output, and then perform a browser goto on the success of your form.

Interesting… Thanks for that. I’ll give it a try sometime tonight using browser goto instead.

Do the browser redirect if the query result is empty. Then tidy the server actions so they just have the query itself.