164 Posts
redback
8 years ago
Topic

Hello,

maybe somebody have an idea to solve this.

Goal is to make sure, that a user only can access there own created content.

An explaining example:

You offering an online diary service. The Content Type "diary" are articles and created by the user themselves. Important ist to make sure, that the registered user only can access their own diary enteries. Lets calculate about 500 users. In this case you cannot set up access levels manually.

Has anybody an idea?

Best Chris

 

Get a Book for SEBLOD
4229 Posts
Kadministrator
8 years ago
6
Level 1

This one of nice examples of bad joomla ACL for view permissions (so called viewlevels). But we can work around it in Seblod - first put Article created by field to the hidden position of your search form and set live value to User and id property. This will filter out any articles that don't bellong to current user. Second this you can do if you allow users to edit their own content (give them edit.own permission), then you can put edit.own permission restriction on all fields from your content type using this plugins

http://www.seblod.com/store/extensions/10872

This would make sure that even that another user would manually access some content e.g. by guessing its id, he would not be able to see anything.

164 Posts
redback
8 years ago
0
Level 2

Hello Klas,

thanks for your fast, good and detailed answer! Coming back after testing, than I share the experience with your solution.

Best Chris

164 Posts
redback
8 years ago
4
Level 2

Hello Klas,

thanks for providing me this solution. I just tested ist an got an security issue.

Test on CONTENT TYPE

The Plugin (Joomla! ACL Pack) works well here. Setting on "Content View" the restriction: Permission "Edit Own". In this case the content will not be delivered by other users.

Test on LIST AND SEARCH

To put up a Live Value on field "article created by" like you said, works well and filter out other results. But this Live Value could be bypass to setup manually by a Get Parameter like this "?art_created_by=304". Therefore i put up the restriction (Joomla! ACL Pack) on the fields of the List and Search type as well. This worked as well on the "seb_table" template. But when i tried to put this up on the "seb_one" template (section item), the restriction doesn't do the job.

Have you got an idea to fix this?

Best Chris

4229 Posts
Kadministrator
8 years ago
3
Level 3

It should work the same on all templates, do you use any overrides?

164 Posts
redback
8 years ago
2
Level 4

I m using a position overwrite (mainbody), but i have the same problem, when after deactivation.

4229 Posts
Kadministrator
8 years ago
1
Level 5

I just tried using restriction (plugin version 1.2.) edit.own on article title field in my articles search type.>item view with seb_one and it works as expected - only fields that don't have this restriction are shown. You can't use this restriction on search fields as there is no author info on the search field.

In case you are getting different results it is most likely related to template overrides.

164 Posts
redback
8 years ago
0
Level 6

Hello Klas,

thanks for your quick testing.

I confirm the plugin works as well on the List and Search of seb_one. (Got something in the cache, therefore i got an output)

When a position overwrite is done, the plugin doesn't work anymore, in the case of using calling $cck->getValue('field_name');

There is an workout to take care of this: 

  • You only can use the form output of the template an make there the HTML Markup by Div fields or with the Typo Plugin
  • If you still like to use a position overwrite the restriction plugin work by calling the field value with $cck->renderField('field_name'); . To get rid of the div and label. Put in the label field "clear" and set Markup to "none". Than you getting the blank value of the field and have the user restriction as well.

@Klas - thanks for your help

Best Chris

Get a VIP membership