Preventing edit view of another user's record (core.edit.own)?
33 views
Skip to first unread message
Mike Pearl
Oct 8, 2016, 3:38:45 PM10/8/16
to Joomla! General Development
I'm writing a Joomla 3.6 component in which:
- all members can create records,
- members can edit only their OWN records, and
- anyone can view all published records.
The issue I'm having is that members can VIEW other member's records in the edit view simply by changing the id= parameter in the URL. I've figured out how to prevent them from SAVING another user's record... but I don't even want them to be able to view the record in the form. What do I need to do to the edit view, to prevent members from displaying records they don't own in that view?
Thanks!
Viper
Oct 8, 2016, 4:29:48 PM10/8/16
to Joomla! General Development
You should do it in controller, not in view. In controller method check the JFactory::getUser()->authorise('core.edit.own.' . $id) value and if it's return false, redirect user to list view.
Mike Pearl
Oct 8, 2016, 6:30:44 PM10/8/16
to Joomla! General Development
Which conttoller method?
Nick Weavers
Oct 9, 2016, 8:11:53 AM10/9/16
to Joomla! General Development
I'm not sure how others do it, but I would have a controller with methods like showList, showForm, validateForm, saveForm?
I'm also guessing that you get to showForm from a link in the list displayed by showList which has the url to get to showForm with all the necessary query params.
If so, you can test in showForm...
$user = JFactory::getUser();
$jinput = JFactory::getApplication()->input;
$id_user = $user->get('id');
$record_owner_id = $jinput->get('id', '', 'INT');
if ($record_owner_id != $id_user) {
// create view object for read only display
$view->display();
} else {
// create view object to show edit form
}
$view->display();
I'm also guessing that you get to showForm from a link in the list displayed by showList which has the url to get to showForm with all the necessary query params.
If so, you can test in showForm...
$user = JFactory::getUser();
$jinput = JFactory::getApplication()->input;
$id_user = $user->get('id');
$record_owner_id = $jinput->get('id', '', 'INT');
if ($record_owner_id != $id_user) {
// create view object for read only display
$view->display();
} else {
// create view object to show edit form
}
$view->display();
Viper
Oct 9, 2016, 1:13:38 PM10/9/16
to Joomla! General Development
Which you use. Or from task variable.
Viper
Oct 9, 2016, 1:16:42 PM10/9/16
to Joomla! General Development
Form validation can be set on save/apply. It's not necessary to use additional method.
And in you example URL is still the same for two different action. This is bad practice. You should use setRedirect() to redirect user to write URL.
And in you example URL is still the same for two different action. This is bad practice. You should use setRedirect() to redirect user to write URL.
Viper
Oct 9, 2016, 1:20:45 PM10/9/16
to Joomla! General Development
Examples:
Check permissions - https://github.com/Globulopolis/kinoarhiv/blob/master/administrator/components/com_kinoarhiv/controllers/movies.php#L100
Validate form - https://github.com/Globulopolis/kinoarhiv/blob/master/administrator/components/com_kinoarhiv/controllers/movies.php#L121
Validate data from user input - https://github.com/Globulopolis/kinoarhiv/blob/master/administrator/components/com_kinoarhiv/controllers/movies.php#L141
Check permissions - https://github.com/Globulopolis/kinoarhiv/blob/master/administrator/components/com_kinoarhiv/controllers/movies.php#L100
Validate form - https://github.com/Globulopolis/kinoarhiv/blob/master/administrator/components/com_kinoarhiv/controllers/movies.php#L121
Validate data from user input - https://github.com/Globulopolis/kinoarhiv/blob/master/administrator/components/com_kinoarhiv/controllers/movies.php#L141
Reply all
Reply to author
Forward
0 new messages