Hello,
maybe somebody have an idea to solve this.
Goal is to make sure, that a user only can access there own created content.
An explaining example:
You offering an online diary service. The Content Type "diary" are articles and created by the user themselves. Important ist to make sure, that the registered user only can access their own diary enteries. Lets calculate about 500 users. In this case you cannot set up access levels manually.
Has anybody an idea?
Best Chris
This one of nice examples of bad joomla ACL for view permissions (so called viewlevels). But we can work around it in Seblod - first put Article created by field to the hidden position of your search form and set live value to User and id property. This will filter out any articles that don't bellong to current user. Second this you can do if you allow users to edit their own content (give them edit.own permission), then you can put edit.own permission restriction on all fields from your content type using this plugins
http://www.seblod.com/store/extensions/10872
This would make sure that even that another user would manually access some content e.g. by guessing its id, he would not be able to see anything.
Hello Klas,
thanks for your fast, good and detailed answer! Coming back after testing, than I share the experience with your solution.
Best Chris
Hello Klas,
thanks for providing me this solution. I just tested ist an got an security issue.
Test on CONTENT TYPE
The Plugin (Joomla! ACL Pack) works well here. Setting on "Content View" the restriction: Permission "Edit Own". In this case the content will not be delivered by other users.
Test on LIST AND SEARCH
To put up a Live Value on field "article created by" like you said, works well and filter out other results. But this Live Value could be bypass to setup manually by a Get Parameter like this "?art_created_by=304". Therefore i put up the restriction (Joomla! ACL Pack) on the fields of the List and Search type as well. This worked as well on the "seb_table" template. But when i tried to put this up on the "seb_one" template (section item), the restriction doesn't do the job.
Have you got an idea to fix this?
Best Chris
It should work the same on all templates, do you use any overrides?
I m using a position overwrite (mainbody), but i have the same problem, when after deactivation.
I just tried using restriction (plugin version 1.2.) edit.own on article title field in my articles search type.>item view with seb_one and it works as expected - only fields that don't have this restriction are shown. You can't use this restriction on search fields as there is no author info on the search field.
In case you are getting different results it is most likely related to template overrides.
Hello Klas,
thanks for your quick testing.
I confirm the plugin works as well on the List and Search of seb_one. (Got something in the cache, therefore i got an output)
When a position overwrite is done, the plugin doesn't work anymore, in the case of using calling $cck->getValue('field_name');
There is an workout to take care of this:
- You only can use the form output of the template an make there the HTML Markup by Div fields or with the Typo Plugin
- If you still like to use a position overwrite the restriction plugin work by calling the field value with $cck->renderField('field_name'); . To get rid of the div and label. Put in the label field "clear" and set Markup to "none". Than you getting the blank value of the field and have the user restriction as well.
@Klas - thanks for your help
Best Chris
