All record operation are made by the php data access class "data_accessclass".

The configuration for the table is saved in the JSON datadefinition.

As database My SQL is used.

The advantages are:<\p>

  • control of the data access
  • access class for all tables with individual configuration and includes
  • access control to different users and roles
  • supports objects, thanks to child configuration
  • validation thanks to the table declaration (datadefinition)


For support of the data access class the table structure has to follow this rules:

  • primary key, autoincrement
  • creatorID, if right check is needed
  • datetimecreated, type datetime (optional)
  • clientID (optional, needed for domain_rightmode=1)
  • rightgroupID (optional, needed for domain_rightmode=2)
The basic tables
k8loginThe user table with login parameters and roles for the data access
k8loginfriendssub table of k8login to add friends or follower
k8referenceshere are all uploads stored
k8languagesthis is the place for translations in the database. The frontend translations are made in JavaScript.

The users are saved in k8login.

Data access can be granted for friends or followers in k8loginfriends.

Images for all tables are joined in k8references.

Basic pages and datadefinitions

The basic datadefinitions
registerk8loginregisterbackend datadefinition: k8login
mydatak8loginmain definition for the form
k8loginfriendsfor the friends table (lineedit)
k8loginsearchfor the search of users, only userID and username
user_listk8loginuser list for the admin
not yet availablek8referencesimages and attachments are stored here
not yet availablek8languagestranslation for the backend

If you like to change this datadefinitions, copy it please in your project folder. The datadefintions in the project folder are read first and have priority.

JSON datadefinition

This is the important configuration for the backend:

Main parameters

The main parameters are "table" and "primary key column". For the data access the class "data_accessclass" is used. This class is stored in the file "class_data_accessclass.php". This can be replaced by your own class. The rightcheck can be activiated. The details for it are placed in masterdata.


Only the columns with the property "FIELD" can be inserted or updated. The data type is important for the header filter and the validation.

SQL Statement (sql_statement, sql_derived)

With a view more tables can be joined and columns can be added for the "read" method. The columns added by the view can not be inserted or updated. In the "sql_derived" the statement is nested. It's a bit slower, but easier to handle because you have all columns in the WHERE Statement.


Each user can have several roles. Each role can have a method for the granted rights.


If the upload is enabled, an array "imagearray" is added the recordset.


Thanks to the include individual functionality can be added.

backend / foreignkeys

Before the record will be deleted, foreign key can be checked. If the record is referenced by other tables, the deletion will be canceled and a message (text) is returned.


All records of the child table are added with the "fieldname" to the main record. The childs can be nested and all parameters can used like for the main table.


"parentcolumn" activates the reading of a tree structure. The "parentcolumn" contains the ID of the parent record. All records with the parentID are added in the array "treearrayname".


All records with the "parentID" are added to the array of this example: "_children".


fieldnamecolumn name
mytypeType without brackets
sizevalue between Type brackets
mydefaultset only to overwrite the column default
noupdatetrue / false (not valid for admin)
noinserttrue / false (not valid for admin)
requiredtrue / false
Fieldcolumn name in the table, empty -> not inserted or updated
KeyExample: PRI
Typetype of the column: varchar(50)

The columns array is the basic structure to build the SQL-Statements. For a 'SELECT' the column definition is used to build up the WHERE part. In this case only 'fieldname' and 'type' is needed. Without definition the column is handled like 'varchar'.

filter types:

  • VARCHAR: all char types
  • DATE
  • TIME

In an 'Update' or 'Insert' statement only the columns with the 'Field' parameter are written.

The 'creatorID' is always filled with the logged in userID ($_SESSION['userID']).

SQL statement

sql_derived example:

Please write the sql_statement or sql_derived in the datadefinition in one line (JSON compliant)!
The "sql_derived" property is important by using the view with tabulator, otherwise the property "sql_statement" should be used because it's a little bit faster.

The placeholder are:

  • §select: additional fields are inserted:
    • rightuser_update
    • rightuser_delete
  • '' as k8select: same §select
  • §dateformat: the SQL date string is inserted
  • WHERE 1=1: Where condition, here the "WHERE ".$clause is inserted
  • §userID: $_SESSION['userID']
  • §domain_language: $GLOBALS['domain_language']

Alternatively the include "getEntries_sql" can be used to write the statement direct in php.

Data access rights

RBAC (Role Based Access Control) assigns the user to 1 or more roles. Roles restrict or authorize the access to tables and records. This rights can only be granted by using the login with php sessions. The RBAC is implemented in the PHP data access class. The access check is activated for an object in the datadefinition by setting "rightcheck=1". In the data table the column "creatorID" is added. Comparing the creatorID with the logged in user gives the result: own record or foreign record.

By opening the website the user is assigned to the role "0:public". His userID is also 0. By login the role is replaced by the default roles of the login table: k8login.roles="3,5". The userID is set. For each object or table, for each CRUD operation (create, read, update, delete) and role an access check is implemented.

This is the data access definition in the datadefinition (masterdata.rights):

  • CRUD Operation
    • Role-ID
      • Method for access check

Thanks to the roles and data access methods, you can easyly grant the rights of your CRUD operations.

RBAC with K8 Web Kit



  • roleID:
    • name

Users and role membership

table k8login:

  • userID
  • roles (roleID-1, roleID-2)
    comma separated roleIDs

Datadefinition / table

  • CRUD Operation
    • Role-ID
      • Method for access check


  • 0: not granted
  • 1: table.clientID=SESSION[clientID]
  • 2: granted
  • ...
  • 10: table.creatorID=SESSION[userID]


The roles are defined in:

  • masterdata/_init.php

Users and role membership

The initial roles are the default value in the columns array of the datadefinition "k8login". It can be changed in the user list by super user or admin.

Datadefinition / table

In the datadefinition the rights are written in:

  • masterdata
    • rights


The methods are checked before or by executing the sql statement.

CRUD Operation by PHP data access class
OperationSQL commanddata access function

By each CRUD operation the data access is checked in the correspondent data access function.

0publicuser not logged in
1adminall rights in a client
2superuserall rights in the database
3memberlogged in user
5friendsassigned in table: k8loginfriends
30rightgroupsassigned in tables: k8rightgroups, k8rightmembers
xotherscreate by yourself

masterdata/_init.php, domain_roles:

The available roles are defined in the "_init.php".

Roles by login:

Each user can get assigned to 1 or several roles. The default roles can be set in masterdata/k8login/k8login.json, property: columns / roles / mydefault in a comma separated string like "3,5".

Admin / user list:

Superuser or admin can change the user roles in the user_list.

Methods for the access check
NumberCheck method
0no rights
1access permission in this client: table.clientID=$_SESSION[clientID]
2permission granted
3user logged in: $_SESSION[userID]<>0
11check friend k8loginfriends.friendID=$_SESSION[userID]
13checks membership in right groups
14checks the rights of the active right group (rightgroupID) of the user:
create: k8rightmembers.rightgroupID=$_SESSION[rightgroupID] and k8rightmembers.userID=$_SESSION[userID] and status>1
read: $table.rightgroupID=$_SESSION[rightgroupID] and k8rightmember.userID=$_SESSION[userID] and status>0
update: $table.rightgroupID=$_SESSION[rightgroupID] and k8rightmember.userID=$userID and ((k8rightmembers.status=2 and $table.creatorId=$userID) or k8rightmembers.status=3))
delete: same update
1000check parent table access rights
...programm your own check

By each CRUD operation the access rights are checked. If the operation by Create, Update or Delete is not granted, an error is returned. Reading a table can return an empty recordset, because of the missing rights.

By Read the results of the access check for Update and Delete are returned in advance like this:

  • in the datadefinitition:
    • masterdata.rightuser_create: true
  • by reading the recordset:
    • rightuser_update: true
    • rightuser_delete: true
Using SQL Exists() as access method

To check the user right by foreign tables the table can be joined or checked by "EXISTS()":

Default Rights

This are the default rights in the data access class (masterdata.defaultrights=true (default)).

access matrix, cell number=Access check
Operation0: public1: admin2: superuser3: member

Rights from the datadefinition overwrite it. To allow the roles: public and member to read all records in the object, add in the datadefinition:

Access rights by master table

The access right of the table depend on another master table. In this case the master table needs to be checked for the access rights. This is declared in the datadefinition:

Link to master

The masterdatadefID declares the master datadefinition. The first right check is made by this datadefinition. The masterkey defines the colun of this table, which correspond to the master key column of the master datadefinition.

Access right: read

  1. first the acces rights of the master is checked
  2. The right of the master is heritated to the child by the method: 1000

Access rights: create, update, delete

  1. first the right "Update" of the master is checked
  2. The right of the master is heritated to the child by the method: 1000

In this example the the access for role 2 is granted to all CRUD methods. The role 3 herites the access from the master.

Using clients


Allow multiple clients to use your Web App. Each table has a clientID to differentiate the data from each other. Each Client has an own admin to govern his data and user. The user registers for 1 client. For each client he needs a different email.



The domain_rightmode==1 enables:

  • register: selection of the client
  • menu Admin: display "Clients"

Social groups (right groups)


Social groups are part of many social platforms like facebook and others. Properties of a social group are:

  • Title
  • Description
  • Owner
  • Members
    • Admins
    • Observers
    • Members

The example role for social groups is 30. The method to check the rights in the groups is 14. Additionally the user has to choose 1 of his groups in my Data, in which he will be active now.

The group in the example "K8 Web Kit" was not created for easy posts but for bug reporting. If this group is active, the menu entry is available.

This is an easy example for an RBAC system. To complete it, the following functions need to be added:

  • users
    • group search with admission request
    • list with group membership or pending admission request
  • group admins
    • list of admission request with dialog to admit or deny



The domain_rightmode==2 enables:

  • my data: selection of the right group
  • menu Admin: display "Right groups"

Own data access methods

CRUD Operation and data access methods
OperationFunctionReturn values
CreatebRecordAccess()true / false
ReadbRecordReadPermission() $out[]:
  • "clause": sql clause
bRecordUDPermission() $out[]:
  • "select": sql condition
  • rightuser_update
  • or rightuser_delete
UpdatebRecordAccess()true / false
DeletebRecordAccess()true / false


This function creates a clause which which determines which records are read.


This function is called 2 times and creates the columns for the data access "update" and "delete":

  • rightuser_update: 0/1
  • rightuser_delete: 0/1

In masterdata/_init.php the variable $GLOBALS['domain_includes'] allows to include own PHP files to write your own methods:

  • [RBAC_Read]:bRecordReadPermission()
  • [RBAC_RUD]: bRecordUDPermission()
  • [RBAC_CUD]: bRecordAccess()


childs definition of the invoice eaxample:

By declaring a childs array or nested childs arrays, an object with several arrays can be read and written to the database. The definition of a child is same to the master. If no columns array is added for the child, it is generated on the fly out of the table structure. Please regard this properties:

  • fieldname: "items" in the invoice example for all records of the k8documentitems table
  • masterkey: the column corresponding to the key column of the parent table
  • richtcheck: 0, no rightcheck for the childs



All ajax requests are send to "ProcessData.php".

  • process_action
  • datadefID
  • additional parameter:
    • filters[]
    • clause
    • keyvalue
    • arr
    • prefix



It returns the datadefininition in the data property:



additional parameters:

  • filters[]
    • field
    • type
    • value
  • filter[] (deprecated)
  • clause
  • mytable_offset
  • mytable_limit: only set, if mytable_offset is also set

It return the the records:

If mytable_limit is not set the maximum returned records are limited by $gdatareadlimit(50).



additional parameters:

  • keyvalue=<keyvalue>

It returns the result "bok", the error or the record "dat".



additional parameters:

  • object with form fields
  • {"column1":"content 1","column2":"content 1"}

If the primary key=0 a new record is inserted, otherwise the record is updated. It returns an error or the saved record:



additional parameters:

  • keyvalue=<primarykey>

It returns "bok" with the the keyvalue or 0 by an error with the error message:

Data access with JavaScript

To control the data access is it important to use a datadefinition with the data access class:

  • user rights are checked
  • only fields in the table are handeled, others are ignored
  • field type and size and addintional field rules are checked
  • additional validation with the inclued file is easily added

In this example the JavaScript command fetch() is used. To make it similar to the ajax getJSON() the function postData(url,data) is created. In PHP the function file_get_contents('php://input') is added to get the data.

Example: table basket


table, er_basket:

  • currentID INT PRI
  • foreignID INT
  • quantity DOUBLE 19,6
  • creatorID INT


  • basket


To get the data access it is not necessary to load the datadefinition first. If you want to display an element: form, list, master data form or html output, it is important to load the datadefnition.


By ReadFilter you can add a filter array or a clause.


Additionally to the url you have to define the key with the parameter:

  • keyvalue: 14


This example have no key set, so the values will be inserted into the table.

If the key: "currentID":14 would be set, the corresponing record would be updated or an error displayed.


Additionally to the url you have to define the key with the parameter:

  • keyvalue: 14