I need to implement field-level permissions in a Page model, in a SilverStripe 3.2 website.
Let's imagine I have an ArticlePage.php model. It has the usual fields like $MenuTitle and $Content, and I've added other properties like $Subtitle and $Author.
I can protect the whole model by using providePermissions() and the associated canEdit() methods, but I need to protect individual fields / page properties.
What I need to do is:
Admins should be able to edit all fields
Users in another permissions group should only be able to edit and save $Subtitle
Is this possible in SilverStripe 3.2? Is there a SilverStripe way of doing it?
If not, is there a way I can Identify the user group of the current user and then perhaps conditionally show the $field->addFieldToTab() code? Is it possible to stop the user saving a field by posting the data maliciously, perhaps by adding the missing fields via inspector?
Thanks in advance.
So here's my own answer. This post was helpful: https://www.silverstripe.org/community/forums/customising-the-cms/show/11693
You can conditionally show CMS fields and tabs using code like the post demonstrates:
public function getCMSFields()
if(!Permission::check('PERMISSION_LABEL'){
$fields->removeFieldFromTab("Root.Main","MenuTitle");
$fields->removeByName('BannerImages');
// etc...
}
// etc...
}
Having defined the permission:
public function providePermissions()
{
return array(
'PERMISSION_LABEL' => 'Can edit some fields',
);
}
My concern with this approach was that a user could still create a form field on the page using inspector or JS and submit values for fields they should not be able to see.
Having tested this it appears that field values are not saved if they are not listed on the page, but are sent with the POST data. Although I'd love to know if a SilverStripe expert could confirm that.
Related
I have created a website whereby users register and create their own templated profile pages. The profile pages are automatically created as Custom Posts upon registration, with the user being set as the Author of their specific post (profile).
(Users can only ever have one Custom Post)
I want to redirect a "dumb" URL like www.website.com/my-profile to a user's custom post when they are logged in.
For example, when John Smith visits www.website.com/my-profile he is directed to his profile page: www.website.com/users/john.smith
I have found many PHP solutions going the other way, but I can't seem to find a solution that does what I need. Any help would be greatly appreciated. Thanks!
This may not be the correct answer to the original query, but proved to be a solid workaround:
Instead of redirecting www.website.com/my-profile to www.website.com/users/john.smith every time it is entered in the URL bar, I created a shortcode that could be used when needed throughout the site.
add_shortcode('bt_redirect_user_link', 'bt_redirect_user_link');
function bt_redirect_user_link ($atts) {
// check if user is logged in
if (is_user_logged_in()) {
// get current user object
$current_user = wp_get_current_user();
// get user nickname
$user_nickname = $current_user->data->user_nicename;
// set the link href
$link_href = '/users/' . $user_nickname;
// output the link html
return $link_href;
}
}
Fortunately for me, the www.website.com/my-profile link (which needs to be redirected) is only available on buttons/icons visible to logged in users. This may not be a fully workable solution for websites that need to display the link to logged out users, and I assume IF/ELSE statements would needed to be added in those cases.
Here's what I've been trying to figure out how to do for hours now.
I want the author role to be able to upload content into the media library from their posts, and to be able to view the entire media library. What I don't want is to let the author role delete any media, even their own.
I've thought about automatically switching authors to a 'media' user upon upload completion, but I was hoping there'd be a cleaner way.
Any ideas?
There's no built-in capability for "delete_media." I think this is encompassed by "delete_posts," since uploads are treated as posts. (Note that authors can delete only their own posts and attachments.)
Adding a role or capability is possible, but you'd have to replace the default media admin screens, where the delete action is controlled by the "delete_posts" cap. You don't want to mess with the core files upload.php etc. So you'd have to restrict access to them, then write your own panels for authors. You probably don't want to do this. :-)
There's a better way, however. If you assign uploads to an administrator when they are saved then authors will not be able to delete them. You can use the add_attachment and edit_attachment action hooks to change the post_author to an administrator id.
Hope that helps.
There are a number of places where WordPress will let users delete images, so trying to hide them all can be challenging (and dangerous, because a new plug-in or version of WordPress could add another). However, you can add the following function to prevent deletions and throw an error (not pretty, but effective). You could enhance this by adding a custom capability for deleting images, if you wanted a finer level of control.
add_action('delete_attachment', 'DontDeleteMedia', 11, 1);
function DontDeleteMedia($postID)
{
if (!current_user_can('manage_options')) {
exit('You cannot delete media.');
}
}
add this code in your functions.php file:
add_action('media_row_actions','users_own_attachments', 2, 1);
function users_own_attachments( $wp_query_obj ) {
if( !current_user_can( 'delete_plugins' ) ){
unset($wp_query_obj['delete']);
return $wp_query_obj;
}
}
I created a very basic custom post type in my WP site to hold events. Basically, a user can input an event title, some information about the event and the date.
Currently, the only time the events are being displayed are in my sidebar where I just pull the title and date of the upcoming events.
However, I want to be able to allow the user to also click on the title of the link to lead to the event's individual page. I tried previewing my custom post type event and it kept leading me to my 404.php page. The events don't seem to load into a page at all.
I'm hoping this is a small property that I didn't set when I registered my post type. Any help?
Wordpress has incorporated custom post types into the template hierarchy and you have access to them at single-$posttype.php and archive-$posttype.php.
If you create these templates and your posts don't show up in the loop, you need to reset your permalinks/flush your rewrite rules.
As well, it would help to see how you are registering your post types, as in order for your archive-$posttype.php to be available you need to call has_archive => true in your arguments.
What i've done when i needed it:
Add this code in the same function that create your post type:
add_action("template_redirect", array(&$this, 'template_redirect'));
function template_redirect() {
global $wp;
if ($wp->query_vars["post_type"] == "events")
{
include(TEMPLATEPATH . "/events.php");
die();
}
}
Then, just create events.php with the_loop (like single.php)!
Hope it helps
[]'s
I would like to show / hide certain fields in my Drupal view based on whether the current user is the author of the node being viewed.
I installed the Views Custom Field module which seems to allow this, but I have no knowledge of PHP, so wondered if anyone could help me with the PHP code.
Something like this (check that $data has uid, maybe different name):
global $user;
if ($user->uid == $data->uid) {
print 'something';
}
I don't know how to change the size of the login username/password boxes on the drupal site that I'm trying to build. I'm stumbling through the theming, and don't know where to find the file that needs to be changed in order to have boxes that fits the aesthetic (so a file path would be very helpful).
I'm hoping it's a css solution. You can see the site first hand at innovatefortomorrow[dot]org and my firebug screenshot http://www.jonrwilson.com/user-login-form.png (I don't have enough reputation points to attach an image or two hyperlinks).
Thanks!
read this as well! This is an alternative answer!
Ok... you are about to enter one of the most exciting and complex features of Drupal: the form API or - for brevity - FAPI. Some theory first, and then the solution! :)
All forms in Drupal are built by the drupal_get_form() function, that accepts an array as parameter. Each field in the array is basically a field of your form, and each field has a number of proprieties, each of them define additional characteristics of the the field, like for example its default value, if it is required or optional and - yes - in the case of textfields... how large they have to be! You can find a detailed explanation of the structure of form arrays here on the drupal site.
The beauty of the form API is that the function that renders the form invokes a number of hooks at various moments during its building process, so you can implement these hooks in order to "alter" a form before it is finalised and sent to the browser.
The most commonly hooks for form alteration are hook_form_alter() and hook_form_FORM_ID_alter(). The first is executed for any form processed by the drupal engine, the latter only for the specific form named "FORM_ID". I will not get into any more details on the internal working of the form API, but here you can read more.
As for your specific case, I assume you are using the standard "user block" shipping with Drupal. In this case I suggest you implement hook_form_FORM_ID_alter() in a form similar to this one:
mymodule_form_user_login_block_alter(&$form, $form_state) {
$form['pass']['#size'] = 43;
}
Hope this helps! :)
I think in this case you have to go to the your html ( or tpl), not your css file to edit it.
One quick way is to search the relevant string (i.e., size="43" name="name" etc) in order to find the correct part.
Here is the way to theme a user login form in drupal 6 with the preprocess function in a template file and not in a module.
in template.php put this code:
function yourThemename_preprocess_user_login(&$variables) {
$variables['form']['name']['#size'] = 15;
$variables['form']['pass']['#size'] = 15;
$variables['rendered'] = drupal_render($variables['form']);
}
create a new file user-login.tpl.php (if it's not already there) and just paste this:
<?php print $rendered; // this variable is defined in the preprocess function user_login and print the login form ?>
Don't forget to clear theme cache or system cache in the performance settings.