I would like to show / hide certain fields in my Drupal view based on whether the current user is the author of the node being viewed.
I installed the Views Custom Field module which seems to allow this, but I have no knowledge of PHP, so wondered if anyone could help me with the PHP code.
Something like this (check that $data has uid, maybe different name):
global $user;
if ($user->uid == $data->uid) {
print 'something';
}
Related
I need to implement field-level permissions in a Page model, in a SilverStripe 3.2 website.
Let's imagine I have an ArticlePage.php model. It has the usual fields like $MenuTitle and $Content, and I've added other properties like $Subtitle and $Author.
I can protect the whole model by using providePermissions() and the associated canEdit() methods, but I need to protect individual fields / page properties.
What I need to do is:
Admins should be able to edit all fields
Users in another permissions group should only be able to edit and save $Subtitle
Is this possible in SilverStripe 3.2? Is there a SilverStripe way of doing it?
If not, is there a way I can Identify the user group of the current user and then perhaps conditionally show the $field->addFieldToTab() code? Is it possible to stop the user saving a field by posting the data maliciously, perhaps by adding the missing fields via inspector?
Thanks in advance.
So here's my own answer. This post was helpful: https://www.silverstripe.org/community/forums/customising-the-cms/show/11693
You can conditionally show CMS fields and tabs using code like the post demonstrates:
public function getCMSFields()
if(!Permission::check('PERMISSION_LABEL'){
$fields->removeFieldFromTab("Root.Main","MenuTitle");
$fields->removeByName('BannerImages');
// etc...
}
// etc...
}
Having defined the permission:
public function providePermissions()
{
return array(
'PERMISSION_LABEL' => 'Can edit some fields',
);
}
My concern with this approach was that a user could still create a form field on the page using inspector or JS and submit values for fields they should not be able to see.
Having tested this it appears that field values are not saved if they are not listed on the page, but are sent with the POST data. Although I'd love to know if a SilverStripe expert could confirm that.
I'm using content access module to restrict certain nodes and node types for un-registered users.
But I would like to create a view where unregistered users can also see titles of those restricted nodes.
How can I do this ?
I haven't used this personally, but I just saw it pop up in the drupal.org module feed a few days ago, and it should help: http://drupal.org/project/views_ignore_node_permissions
ok if you just want to echo the node title in php (with in the node body ) enable php
then :
<?php
if (arg(0) == 'node' && is_numeric(arg(1))) $nodeid = arg(1);
$node = node_load($nodeid);
print $node->title;
?>
Blockquote
and you are done
If you want to restrict access to some fields and not to others, you really should be using permissions per field. I assume all fields are built with CCK, so just enable permission for the content-type, but disable for all fields.
That way, only the title is visible. I don't think you can disable permissions for the standard body field, but I always use a CCK text-area for that anyway, it's alot easier also for css since the standard body field isn't wrapped in default node printing.
You can write a simple module for this, which does the following:
query the node titles you want to show (called by hook_menu)
theme the result (hook_theme)
display the result (hook_block)
in the hook_perm you can create a new permission who you would like to show the node titles, if it is for everybody, just use 'access content'.
The solution is here:
In the views "Query options"-settings it's possible to set "Disable SQL rewriting" ("Disabling SQL rewriting will disable node_access checks as well as other modules that implement hook_query_alter().") which afaik makes this module unneeded with the latest views version.
I am using the profile module and have several categories for different fields. I want to add a small bit of text to the top of one of the categories saying what the category is for. The information would be displayed when a new user registered. Basically I want to tell users to only fill out a category on certain conditions. Can anyone tell me how I could do this? I'm guessing I could use hook_form_alter(), but I don't know where to start.
You want to create your own module and implement hook_form_alter like you mentioned.
In a nutshell:
Use print_r($form) in hook_form_alter to look through what you'll need to edit
A category will have a #type => 'fieldset' and #title => 'What you named your category'
Remove print_r and add $form['categoryname']['#description'] = 'My description here!';
You may have to update your module's "weight" as I described here (replacing CCK with Profile).
As Chris Ridenour alluded to, you can do this with hook_form_alter() in a custom module:
function mymodule_form_alter(&$form, &$form_state, $form_id) {
if ($form_id === 'user_profile_form') {
// Change personal to the name of the category.
$form['personal']['#description'] = t('This is a description of your personal information.');
}
}
In this example, it adds a description to the personal category on the user profile form.
You can read more about what types of things you can modify in the Forms API reference. If you have the Devel module installed, dsm($form) within your hook_form_alter() will pretty-print the form structure to give you an idea of what's available to alter.
I am using hook_form_alter to disable some publishing options whet authors adds or edits the nodes:
/**
* hook_form_alter ()
*/
function mymodule_form_alter(&$form, $form_state, $form_id) {
global $user;
if ($form['#id'] == 'node-form') {
unset($form['comment_settings']);
unset($form['path']);
unset($form['revision_information']);
unset($form['author']);
}
}
However - I can not find (even in debugger) what variable to unset to disable Input Format options to prevent users from changing default format.
Do you other way to do that?
HOOK_FORM_ALTER will work if we make sure our hook is being called after filter_form_alter (or hook from any other module altering form).
This is being done by setting our module weight in drupal system table to be bigger than others we compete with. It is usually done in hook_install:
db_query("UPDATE {system} SET weight = [yournumber] WHERE name = 'yourmodulename'");
Drupal uses weight field to determine order or calling hooks.
Taken from:
http://drupal.org/node/110238
Hope it will help someone.
Hm, why dont you just set up your filter formats so that normal users dont have more than one, and simply remove the administer filters permission from everyone, that's not 'cruel' that's called 'secure'.
Disable "administer filters" permission works but it feels kind of cruel.
I'm in the process of making some improvements to a live Drupal site that's using the Domain Access module to run a number of microsites. I'm trying to find a way of restricting the menus a user can post content to from the node edit screen. A user on one of the domains should only be able to post content to menus associated with that domain.
Is there a simple way of achieving this? I'm guessing there are some hooks I could use, but so far I have been unable to identify them. I'd prefer not to have to install further modules to achieve this and to be able to add some code to the current site to alter the forms. The site is struggling with the large number of modules we've had to install on it already.
According to the readme for the module, you need to set some specific permissions in user management:
To enable this feature, you should grant the 'edit domain nodes' and
(optionally) the 'delete domain nodes' permission to some roles. Then assign
individual users accounts to specific domains to assign them as Domain Editors.
From my experience many moons ago with the module, you can check the global $user object and figure out what domains the user should have access to. You can then use a form alter to remove any options from the select box that you don't want them seeing. As always with Drupal though, it's better to let someone else write the code - so if the Domain module provides this functionality, use it!
Here is some updated code for Drupal 7:
/**
* Implements hook_form_FORM_ID_alter().
*/
function MYMODULE_form_page_node_form_alter(&$form, &$form_state) {
global $_domain;
if (isset($_domain['domain_id'])) { // only display domain's primary links
$menus[domain_conf_variable_get($_domain['domain_id'], 'menu_main_links_source')] = $_domain['sitename'].' Main menu';
}
if (isset($menus)) {
$options = menu_parent_options($menus, $form['#node']->type);
$form['menu']['link']['parent']['#options'] = $options;
}
}
Eventually found a way of fixing this for the particular project I have been working on: in module_form_alter I've added the following:-
global $_domain;
if (isset($_domain['domain_id'])) { // only display domain's primary links
$menus[domain_conf_variable_get($_domain['domain_id']
,'menu_primary_links_source')] = $_domain['sitename'].' Primary links';
}
if ( isset($menus) ) {
$options = menu_parent_options($menus, $form['menu']['#item']);
$form['menu']['parent']['#options'] = $options;
}
This restricts the menu options to just the current domain's primary links menu which is just what we wanted.
Thanks to Fabian who pointed me in the right direction earlier.