Marry Christmas and Happy new year to everybody
Hi all
I'm writing CV module (for now admin can submit, edit basic CV data).
My question is how to let users edit only their own CV (items submeted from user but not from other users)
I can do check
if $uid==$cr_uid but is there a better way to do this?
I dont want to give EDIT permission globally . This will let user to edit other user's CV data
edited by: shoshia, datetimebrief
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- rgasch created topic »Using PageUtil::addVar() to load script code« 11:48 AM
- michiel responded to »password problem« 10:01 AM
- mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
- mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
module content owner permissions
-
- Rank: Softmore
- Registered: Mar 10, 2005
- Last visit: Mar 18, 2010
- Posts: 288
Posted: Jan 03, 2010 - 11:31 PM
-
- Rank: Developer
- Registered: Dec 31, 1969
- Last visit: Jun 01, 2010
- Posts: 6859
Posted: Jan 04, 2010 - 02:02 AM
That's always how I've done it, check if they have general permission to edit (which in your case will be the same as add), if so, check the creator id against the user id.
--
Home Page | Find on Facebook | Follow on Twitter
-
- Rank: Softmore
- Registered: Mar 10, 2005
- Last visit: Mar 18, 2010
- Posts: 288
Posted: Jan 04, 2010 - 03:12 AM
Thanks a lot.
But can this cause security problems?
I mean if I have a edit acces and pass other user's uid instead of main?
of cours i can log lasttime edited users id and see if i get this kind of "smart" user but it will not help if large amount of data will be corrupted -
- Rank: Developer
- Registered: Dec 31, 1969
- Last visit: Jun 01, 2010
- Posts: 6859
Posted: Jan 04, 2010 - 05:48 AM
No, there should be no risk because you shouldn't be passing data around in any manner that can be compromised. IN the display template, you show an edit link only if the logged in user = the record owner's id. If they're different no display. In the code for editing the info, you check in the API that the owner id & logged in user id are the same. There should be no easy way to get around it.
--
Home Page | Find on Facebook | Follow on Twitter
- Moderated by:
- Support
