Recent Topics

1 Aug 10, 2004 01:54    

Hello.

Firstly, let me thank B2evolution team for the best software blog I have ever seen :D

My question is: I want to make my Blog interactive with users who come to my website, so that they can join, be a member and Blog.

I can do this fine under testing, but my fear is, anyone who joins 'once' I give permission 'has' the ability to edit all the Blog posts.
which means a bad user might join, and then click on edit button and wipe all the Blog clean.

How do I prevent users from being able to edit other peoples (users) Blog messages?.

Thanks.

2 Aug 10, 2004 07:31

If you go to blogs | the blog you want to edit | permissions, you'll see that you can give each user specific permissions. The user only needs to be a member of the blog to read the protected posts, the other options are, well, optional.

3 Aug 10, 2004 13:34

I think he ment (or at least, that's my concern) that if you make a person not only member so they can read the posts, but also make them 'real' member, so they can make posts, that at the same thime, you gave tem permission to edit also the posts of others.

You can choose if you want them to be able to delete posts, but that still means that they can edit there posts and also posts of others.

In the early years of b2, you had the levels. Someone with level 3 could edit posts of all the others with level 2 and less, but not posts of others with level 3 and so on.
That is a deprecated function.

Nowadays, all members who can edit have the same rights...

4 Aug 10, 2004 16:35

yeah we definitely need an option "[ ] this member is only allowed to edit his own entries"

5 Aug 10, 2004 20:38

kiesow wrote:

yeah we definitely need an option "[ ] this member is only allowed to edit his own entries"

Topanga and kiesow, that is exactly what I was asking about,
so I can keep all users in the same place (Blog area).

But it is hard, as people you don't know so well 'could' hit the 'edit' button
and wipe everyone's posts on the blog, as everyone gets 'edit' option on everyone's posts as soon as they are a member, and I can't seem to change that.

I think only the poster of the message, should be allowed to 'edit' it, excluding the administrators of course. Just like a forum. :D

6 Aug 10, 2004 23:16

Radiojuk,

On the todolist we described it allready thouroughly (correct word ?)

see : http://b2evolution.net/dev/todo/2004/06/03/specify_permissions_on_a_group_base

that means that there are several reasons why I want several people to be able to edit the posts of others.

it is on the todolist, I don't know if it will be in the next release or that there are other stuff that will be in the next release (all dev-people have other paid jobs, all volunteers,...

Solution for this moment (how I handle)

Give the people that are very trustworthy full permissions (public, protect, draft, deprecated)

Other people you can give only protect permission.

That means that they can't edit the published posts, only the posts that are only vissible for members.
If you (or your other chief editors) check on a daily basis for new (protected) posts and publish them, then they can't be edited anymore.

Even more, cause you also have a 'draft' status.
If you give people only rights to make posts in draft, than you can publish them even in protect mode, and they can't be edited by the 'basic' users...

Con : it is not what you want on the long run
Pro : It works for now

my credo is and has ever been : if it won't work the way it is supposed to be, it has to work the way it can.

7 Aug 11, 2004 05:50

That's cool Topanga :)

I will use that method it's alot better than what I have set.

Thanks for all of your help once again,
It is very much appreciated.

:D

8 Sep 01, 2004 05:53

wouldnt there be a way in _edit_showposts.php to put something along the lines of

if ( member-logged-in == member-who-posted )
{

show edit, and delete buttons

}

?????

i dont know the exact syntax or what variables to use, but someone should be able to write a hack like that. i am not very familiar with perl so i only have a theory. please let everyone know if you figure out that this is possible.

9 Sep 01, 2004 07:56

Ask and ye shall receive! Choose the handy dandy editor of your choice, fire it up and open admin/_edit_showposts.php. Scroll your way down about 1/3 the way until you find a block of code that looks suspiciously like this one, then make it look exactly like this one.

<div class="PostActionsArea">
	<a href="<?php $Item->permalink() ?>" title="<?php echo T_('Permanent link to full entry') ?>" class="permalink_right"><img src="img/chain_link.gif" alt="<?php echo T_('Permalink') ?>" width="14" height="14" border="0" class="middle" /></a>
	<?php
	// EdB: only the author or admin get to edit or delete posts
	if( ( $current_User->get( 'ID' ) == $Item->Author->get( 'ID' ) ) || ( $current_User->get( 'ID' ) == 1 ) )
	{ // user is author or admin so make the buttons
 		// Display edit button if current user has the rights:
		$Item->edit_link( ' ', ' ', '#', '#', 'ActionButton');
		// Display publish NOW button if current user has the rights:
		$Item->publish_link( ' ', ' ', '#', '#', 'PublishButton');
		// Display delete button if current user has the rights:
		$Item->delete_link( ' ', ' ', '#', '#', 'DeleteButton');
	}
	?>


Actually I guess it doesn't have to look *exactly* like mine. You can take out the EdB part despite the fact that I'm a very sensitive guy and you WILL hurt my feelings and I WILL have to take it out on some random stranger, but that's okay - they'll never know it was you.

Now you can give people edit privli... privele... permissions and they can edit/delete their own stuff but not stuff by others. Admin, identified by user id #1 still has total control. By the way you can add other user ids to the list if you like. My application uses " <= 3" instead of " == 1" because I auto-installed some users to those ids. To add lets say user id #5 just do like this:

if( ( $current_User->get( 'ID' ) == $Item->Author->get( 'ID' ) ) || ( $current_User->get( 'ID' ) == 3 ) || ( $current_User->get( 'ID' ) == 5 ) )

Peace all!

11 Sep 02, 2004 02:42

thank you very much ed... for the time being i just edited out the edit and delete buttons completely. but i will definitely put this in tonight and hopefully it works. sorry for the mistake. php does rock.

12 Sep 02, 2004 02:53

I should/ve had a little smilie in there somewhere eh? In the followup post I mean. I certainly wasn't seriously upset at you calling it perl. After I pulled the code out of my files and posted it I noticed the reference and thought 'ah you coulda had some fun with that!'.

13 Mar 31, 2005 08:07

I know I'm digging up an old thread, but unless it's been mentioned otherwise, I think this is important.

EdB - is your above code going into the next version of b2b? Reason I ask is I'd hope I don't forget about it on the next update - with all the hacks I have, something is going to get b0rked, i'm sure of it.

14 May 22, 2005 06:17

EdB's suggestion is good, though of course it still leaves the 'blog' open to hacking for those who know the URL to edit or delete.

You can modify EdB's code with the following to allow anyone with a higher user level to edit / delete posts:

if( ( $current_User->get( 'ID' ) == $Item->Author->get( 'ID' ) ) || ( $current_User->get('level') > $Item->Author->get('level')) )

This will include of course admin who should be at level 10.

15 May 31, 2005 05:11

sahamilton wrote:

EdB's suggestion is good, though of course it still leaves the 'blog' open to hacking for those who know the URL to edit or delete.

You can modify EdB's code with the following to allow anyone with a higher user level to edit / delete posts:

if( ( $current_User->get( 'ID' ) == $Item->Author->get( 'ID' ) ) || ( $current_User->get('level') > $Item->Author->get('level')) )

This will include of course admin who should be at level 10.

You are right about unsecure this method. You can do following:
in additional to EdB method:
in file admin/edit_actions.php in case of actions which you interested (editpost in my case) add next code after string

$postdata = get_postdata($post_ID) or die(T_('Oops, no post with this ID.'));

:


if( ( $current_User->get( 'ID' ) != $postdata['Author_ID'] ) && ( $current_User->get( 'ID' ) != 1 ) )
    die( T_('Permission denied!'). ' ( editpost )' );

So, if even hacker knows URL for editing post, he'll get access denied.

16 Jul 27, 2005 14:51

I am new and not fully sure of the rules for replying to an older post?

I have tried the code that EdB suggested to stop other posters from editing. I copied and pasted to the correct file and it does give the message you do not have access to edit. Unfortunatly it still allows editing of the post.

I have checked the settings to make sure my test account is not to high and over riding the edit feature.

This is the code that I added.


<div class="PostActionsArea"> 
   <a href="<?php $Item->permalink() ?>" title="<?php echo T_('Permanent link to full entry') ?>" class="permalink_right"><img src="img/chain_link.gif" alt="<?php echo T_('Permalink') ?>" width="14" height="14" border="0" class="middle" /></a> 
   <?php 
   // EdB: only the author or admin get to edit or delete posts 
   if( ( $current_User->get( 'ID' ) == $Item->Author->get( 'ID' ) ) || ( $current_User->get( 'ID' ) == 1 ) ) 
   { // user is author or admin so make the buttons 
       // Display edit button if current user has the rights: 
      $Item->edit_link( ' ', ' ', '#', '#', 'ActionButton'); 
      // Display publish NOW button if current user has the rights: 
      $Item->publish_link( ' ', ' ', '#', '#', 'PublishButton'); 
      // Display delete button if current user has the rights: 
      $Item->delete_link( ' ', ' ', '#', '#', 'DeleteButton'); 
   } 
   ?>

I basically copied and pasted what EdB had posted. Would some one be able to tell if I did something wrong or maybe misunderstood what I read below.

TIA.

18 Jul 28, 2005 03:03

Just wanted to say thank you EdB, worked like a charm ;)


Form is loading...