How can I hide contributions made by anonymous users?

[Noel Slevin]

Hi there

I have an anonymous account ("guest") set up for people to upload images to ResourceSpace. The anonymous users should be able to upload their images and nothing more. I don't want them to see their contributions, to be able to view or download resources.

For the mostpart, this works. I've taken out links to "My Contributions", and they don't see the search form. However, when they have uploaded their images, they seem to be automatically redirected to their own contributions, at /pages/search.php?search=!contributions3&archive=-1#

This page seems to show all contributions made by the anonymous user which are still marked as "pending review". Once the resources have been marked as active, they no longer seem to appear.

How can I stop them from seeing this? We only want people who are logged in to be able to see resources. I have tried setting up a new group with restricted permissions, but I've not managed to prevent access to the user's own contributions pending review, whatever combination I try.

[Noel Slevin]

Please forgive my questions, as I'm getting a little confused, and having played around with settings for a couple of days, I'm starting to feel a little dizzy!

It looks to me like the user account that uploads a resource can always access that resource, and that there is no way to override that easily. Is that correct? I even tried using a search filter using something like Country=Nigeria, but contributed resources still showed.

Having created a new user group and an anonymous guest login, I've also discovered that uploading resources to that group doesn't send them to pending submission, but sets them to active, despite what I thought were restrictive permissions. What's the correct permission I need to set in order to ensure uploads go to review?

Finally, I was installing ResourceSpace on Windows and saw that the guide is very old and could be a lot better. What's the best way for me to suggest / contribute changes to it?

Many thanks

Noel

[Allison M Stec]

Setting "$show_user_contributed_resources=false;" in the config override section for the guest group should prevent the resources from displaying.

In testing, I also ran into the issue where uploading resources makes them active, even if the group permissions are set to make them pending submission. Eventually it resolved itself while i was testing - I think it might be something to do with the upload template. Can you try setting "$blank_edit_template=true;" for the guest group and see if that helps?

--
ResourceSpace: Open Source Digital Asset Management
http://www.resourcespace.org
---
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to resourcespac...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
--
ResourceSpace Developer
Reseller of Colorhythm's Prismpoint Portal DAM

[Noel Slevin]

Thanks for the response. Sorry it’s taken a while to reply. I have made progress on some fronts, but perhaps not in the best manner (I'm using 7.3.7009 - should have mentioned that earlier). Please forgive me if my post seems to ramble!

Firstly, I discovered why some resources were being set to active rather than going to "pending submission". The group did not have the permissions "e-2" or "e-1". However, they did have the "d" permission rather than "c", so by my understanding, they should have been sent to "pending submission". Adding "e-2" and "e-1" corrects this behaviour. Perhaps this is a bug in the upload process? I'm using plupload if that changes anything.

I've played around further with trying to hide resources from the anonymous user, and found the following:

• I can set $mycontributions_userlink=false – which will hide the My Contributions link, but still allow access to it if the link is typed in;
• Setting $show_user_contributed_resources=false only hides the link to active resources contributed by the user, but does not prevent access to them if the link is typed in (and the same goes for pending submission/pending review). This happens even if the user doesn't have the "s" permission

I guess I was hoping that users without the "s" permission wouldn't be able to see resources at all, even if they have uploaded them (aimed specifically at the anonymous user, as multiple users can upload through that account, and shouldn't be able to see others' contributions). Thus, I have tried the following:

• I have created a new page (thanks.php), to redirect the anonymous user to after upload, instead of the search page showing their contributions;

• I have edited upload_plupload.php (line 708 to test the current user's credentials and redirect accordingly)

The original line 708 is:

window.location.href='<?php echo $baseurl_short?>pages/search.php?search=!contributions<?php echo urlencode($userref) ?>&archive=<?php echo urlencode($setarchivestate) ?>';

In its place, I've put:

<?php if (!checkperm("s")) { ?>

window.location.href='<?php echo $baseurl_short?>pages/thanks.php';

<?php }

else { ?>

window.location.href='<?php echo $baseurl_short?>pages/search.php?search=!contributions<?php echo urlencode($userref) ?>&archive=<?php echo urlencode($setarchivestate) ?>';

<?php } ?>

So it checks to see if the current user has the search permission, and if not, redirects to thanks.php, but if they can, does as before. This appears to be the best way for me to hide uploads from the anonymous user, but there aren't any hooks or functions I can see that I can use to make this into a plugin. Is there any way for me to do this without having to edit the active code? Is there, perhaps, a way to replace the whole upload_plupload.php file through a plugin, or to add a new thanks.php page via a plugin? If I can do this, then at least I don’t need to merge changes each time there is an update, which would make things easier.

Noel