Added tenant_filter functionality

README.md

@@ -477,12 +477,15 @@ By default a single database is exposed with all it's tables and columns in read
 a 'table_authorizer' and/or a 'column_authorizer' function that returns a boolean indicating whether or not the table or column is allowed
 for a specific CRUD action.
 
+## Record filter
+
+By defining a 'record_filter' function you can apply a forced filter, for instance to implement roles in a database system.
+The rule "you cannot view unpublished blog posts unless you have the editor or admin role" can be implemented with this filter.
+
 ## Multi-tenancy
 
-By defining a 'record_filter' function that returns an array of filters you can support a multi-tenant database.
-When you add a 'company_id' column to every table and let 'record_filter' function return ```array('company_id,eq,1')```
-you can limit access to records from company 1. The returned filter is added to list, read, update and delete commands.
-NB: You still have to make sure only allowed values are sent when creating new records.
+The 'tenant_function' allows you to expose an API for a multi-tenant database schema. In the simplest model all tables have a column
+named 'customer_id' and the 'tenant_function' is defined as ```return array('customer_id,eq,'.$_SESSION['customer_id']);````
 
 ## Sanitizing input
 

api.php

@@ -561,7 +561,7 @@ class REST_CRUD_API {
 		}
 	}
 
-	protected function applyRecordAuthorizer($callback,$action,$database,$tables,&$filters) {
+	protected function applyRecordFilter($callback,$action,$database,$tables,&$filters) {
 		if (is_callable($callback,true)) foreach ($tables as $i=>$table) {
 			$f = $this->convertFilters($callback($action,$database,$table));
 			if ($f) {
@@ -572,6 +572,19 @@ class REST_CRUD_API {
 		}
 	}
 
+	protected function applyTenancyFunction($callback,$action,$database,$fields,&$filters) {
+		if (is_callable($callback,true)) foreach ($fields as $table=>$keys) {
+			foreach ($keys as $field) {
+				$v = $callback($action,$database,$table,$field->name);
+				if ($v!==null) {
+					if (!isset($filters[$table])) $filters[$table] = array();
+					if (!isset($filters[$table]['and'])) $filters[$table]['and'] = array();
+					$filters[$table]['and'][] = array($field->name,is_array($v)?'IN':'=',$v);
+				}
+			}
+		}
+	}
+
 	protected function applyColumnAuthorizer($callback,$action,$database,&$fields) {
 		if (is_callable($callback,true)) foreach ($fields as $table=>$keys) {
 			foreach ($keys as $field) {
@@ -582,6 +595,24 @@ class REST_CRUD_API {
 		}
 	}
 
+	protected function applyInputTenancy($callback,$action,$database,$table,&$input,$keys) {
+		if (is_callable($callback,true)) foreach ((array)$input as $key=>$value) {
+			if (isset($keys[$key])) {
+				$v = $callback($action,$database,$table,$key);
+				if ($v!==null) {
+					if (is_array($v)) {
+						if (in_array($input->$key,$v)) {
+							$v = $input->$key;
+						} else {
+							$v = null;
+						}
+					}
+					$input->$key = $v;
+				}
+			}
+		}
+	}
+
 	protected function applyInputSanitizer($callback,$action,$database,$table,&$input,$keys) {
 		if (is_callable($callback,true)) foreach ((array)$input as $key=>$value) {
 			if (isset($keys[$key])) {
@@ -938,14 +969,16 @@ class REST_CRUD_API {
 
 		// permissions
 		if ($table_authorizer) $this->applyTableAuthorizer($table_authorizer,$action,$database,$tables);
-		if ($record_filter) $this->applyRecordAuthorizer($record_filter,$action,$database,$tables,$filters);
+		if ($record_filter) $this->applyRecordFilter($record_filter,$action,$database,$tables,$filters);
 		if ($column_authorizer) $this->applyColumnAuthorizer($column_authorizer,$action,$database,$fields);
+		if ($tenancy_function) $this->applyTenancyFunction($tenancy_function,$action,$database,$fields,$filters);
 
 		if ($post) {
 			// input
 			$context = $this->retrieveInput($post);
 			$input = $this->filterInputByColumns($context,$fields[$tables[0]]);
 
+			if ($tenancy_function) $this->applyInputTenancy($tenancy_function,$action,$database,$tables[0],$input,$fields[$tables[0]]);
 			if ($input_sanitizer) $this->applyInputSanitizer($input_sanitizer,$action,$database,$tables[0],$input,$fields[$tables[0]]);
 			if ($input_validator) $this->applyInputValidator($input_validator,$action,$database,$tables[0],$input,$fields[$tables[0]],$context);
 
@@ -976,6 +1009,7 @@ class REST_CRUD_API {
 				$params[] = $filter[0];
 				$params[] = $filter[1];
 				$params[] = $filter[2];
+				$first = false;
 			}
 		}
 	}
@@ -1172,6 +1206,7 @@ class REST_CRUD_API {
 		$table_authorizer = isset($table_authorizer)?$table_authorizer:null;
 		$record_filter = isset($record_filter)?$record_filter:null;
 		$column_authorizer = isset($column_authorizer)?$column_authorizer:null;
+		$tenancy_function = isset($tenancy_function)?$tenancy_function:null;
 		$input_sanitizer = isset($input_sanitizer)?$input_sanitizer:null;
 		$input_validator = isset($input_validator)?$input_validator:null;
 
@@ -1207,7 +1242,7 @@ class REST_CRUD_API {
 			$db = $this->connectDatabase($hostname,$username,$password,$database,$port,$socket,$charset);
 		}
 
-		$this->settings = compact('method', 'request', 'get', 'post', 'database', 'table_authorizer', 'record_filter', 'column_authorizer', 'input_sanitizer', 'input_validator', 'db');
+		$this->settings = compact('method', 'request', 'get', 'post', 'database', 'table_authorizer', 'record_filter', 'column_authorizer', 'tenancy_function', 'input_sanitizer', 'input_validator', 'db');
 	}
 
 	public static function php_crud_api_transform(&$tables) {

tests/tests.php

@@ -37,8 +37,9 @@ class API
 				'database'=>MySQL_CRUD_API_Config::$database,
 				// callbacks
 				'table_authorizer'=>function($action,$database,$table) { return true; },
-				'record_filter'=>function($action,$database,$table) { return ($table=='users'&&$action!='list')?array('id,eq,1'):false; },
 				'column_authorizer'=>function($action,$database,$table,$column) { return !($column=='password'&&$action=='list'); },
+				'record_filter'=>function($action,$database,$table) { return ($table=='posts')?array('id,ne,13'):false; },
+				'tenancy_function'=>function($action,$database,$table,$column) { return ($table=='users'&&$column=='id')?1:null; },
 				'input_sanitizer'=>function($action,$database,$table,$column,$type,$value) { return $value===null?null:strip_tags($value); },
 				'input_validator'=>function($action,$database,$table,$column,$type,$value,$context) { return ($column=='category_id' && !is_numeric($value))?'must be numeric':true; },
 				// for tests
@@ -305,14 +306,14 @@ class MySQL_CRUD_API_Test extends PHPUnit_Framework_TestCase
 		  $test->expect(4+$i);
 		}
 		$test->get('/posts?page=2,2&order=id');
-		$test->expect('{"posts":{"columns":["id","user_id","category_id","content"],"records":[["5","1","1","#1"],["6","1","1","#2"]],"results":12}}');
+		$test->expect('{"posts":{"columns":["id","user_id","category_id","content"],"records":[["5","1","1","#1"],["6","1","1","#2"]],"results":11}}');
 	}
 
 	public function testListWithPaginateLastPage()
 	{
 		$test = new API($this);
 		$test->get('/posts?page=3,5&order=id');
-		$test->expect('{"posts":{"columns":["id","user_id","category_id","content"],"records":[["13","1","1","#9"],["14","1","1","#10"]],"results":12}}');
+		$test->expect('{"posts":{"columns":["id","user_id","category_id","content"],"records":[["14","1","1","#10"]],"results":11}}');
 	}
 
 	public function testListExampleFromReadme()
@@ -438,7 +439,7 @@ class MySQL_CRUD_API_Test extends PHPUnit_Framework_TestCase
 	{
 		$test = new API($this);
 		$test->get('/users,posts,tags');
-		$test->expect('{"users":{"columns":["id","username"],"records":[["1","user1"],["2","user2"]]},"posts":{"relations":{"user_id":"users.id"},"columns":["id","user_id","category_id","content"],"records":[["1","1","1","blog started"],["2","1","2","\u20ac Hello world, \u039a\u03b1\u03bb\u03b7\u03bc\u1f73\u03c1\u03b1 \u03ba\u1f79\u03c3\u03bc\u03b5, \u30b3\u30f3\u30cb\u30c1\u30cf"],["5","1","1","#1"],["6","1","1","#2"],["7","1","1","#3"],["8","1","1","#4"],["9","1","1","#5"],["10","1","1","#6"],["11","1","1","#7"],["12","1","1","#8"],["13","1","1","#9"],["14","1","1","#10"]]},"post_tags":{"relations":{"post_id":"posts.id"},"columns":["id","post_id","tag_id"],"records":[["1","1","1"],["2","1","2"],["3","2","1"],["4","2","2"]]},"tags":{"relations":{"id":"post_tags.tag_id"},"columns":["id","name"],"records":[["1","funny"],["2","important"]]}}');
+		$test->expect('{"users":{"columns":["id","username"],"records":[["1","user1"]]},"posts":{"relations":{"user_id":"users.id"},"columns":["id","user_id","category_id","content"],"records":[["1","1","1","blog started"],["2","1","2","\u20ac Hello world, \u039a\u03b1\u03bb\u03b7\u03bc\u1f73\u03c1\u03b1 \u03ba\u1f79\u03c3\u03bc\u03b5, \u30b3\u30f3\u30cb\u30c1\u30cf"],["5","1","1","#1"],["6","1","1","#2"],["7","1","1","#3"],["8","1","1","#4"],["9","1","1","#5"],["10","1","1","#6"],["11","1","1","#7"],["12","1","1","#8"],["14","1","1","#10"]]},"post_tags":{"relations":{"post_id":"posts.id"},"columns":["id","post_id","tag_id"],"records":[["1","1","1"],["2","1","2"],["3","2","1"],["4","2","2"]]},"tags":{"relations":{"id":"post_tags.tag_id"},"columns":["id","name"],"records":[["1","funny"],["2","important"]]}}');
 	}
 
 	public function testEditUser()
@@ -448,6 +449,22 @@ class MySQL_CRUD_API_Test extends PHPUnit_Framework_TestCase
 		$test->expect('1');
 	}
 
+	public function testEditUserWithId()
+	{
+		$test = new API($this);
+		$test->put('/users/1','{"id":"2","password":"testtest2"}');
+		$test->expect('1');
+		$test->get('/users/1');
+		$test->expect('{"id":"1","username":"user1","password":"testtest2"}');
+	}
+
+	public function testReadOtherUser()
+	{
+		$test = new API($this);
+		$test->get('/users/2');
+		$test->expect(false,'Not found (object)');
+	}
+
 	public function testEditOtherUser()
 	{
 		$test = new API($this);