Restrict author permissons

ellen · 2007-07-29 17:59:33

Hello,

How can I prevent that a user with author permissions changes an image that another user uploaded? It works with articles that you can’t change another author’s entries but there is no such option for images in the permissions file…

Any suggestions?

Last edited by ellen (2007-07-29 18:00:03)

Mary · 2007-07-30 04:25:26

At present you can’t, not without making modifications to a few files.

ellen · 2007-07-31 10:59:43

Mary,

Could you please give me a hint what modifications I had to make? I would be sufficient if I could hide the ‘save’ button from another user’s eyes… (Not from the one who published the image).

ruud · 2007-07-31 12:04:14

The easiest ways is probably to disable the edit link in the image list, otherwise you not only have to hide the save button, but also the two upload buttons (replacing images) and the thumbnail create button.

In /textpattern/include/txp_image.php, you’d have to add $txp_user to the list of global variables at the beginning of the ‘image_list’ function and replace this line:

n.t.'<li>'.href(gTxt('edit'), $edit_url).'</li>'.

with

($txp_user == $name ? n.t.'<li>'.href(gTxt('edit'), $edit_url).'</li>' : '').

To make it more resistant agains nosy users, you could do something similar in the image_edit function, adding $txp_user to the list of global variables and just below the extract($rs); line add this line:

if ($txp_user != $name) return image_list('naughty user!');

ellen · 2007-08-22 20:29:16

Thank you, works fine! Is there also a possibility to disable the image delete button in the image list?

ruud · 2007-08-22 20:35:32

sure.

Replace this line:

dLink('image', 'image_delete', 'id', $id, '', '', '', false, array($page, $sort, $dir, $crit, $search_method))

with:

($txp_user == $name ? dLink('image', 'image_delete', 'id', $id, '', '', '', false, array($page, $sort, $dir, $crit, $search_method)) : '')

And add that ‘naughty user’ line also to the ‘image_delete’ function, similar to what I explained for the ‘image_save’ function.

ellen · 2007-08-22 21:02:02

Sorry to be a nuisance – can the following line be modified in the way that the user who uploaded the image can save a new version of it and any other user can’t?

if ($txp_user != $name) return image_list(‘naughty user!’);

ruud · 2007-08-22 21:09:24

That line should already do that.

ellen · 2007-08-22 21:26:19

Unfortunately it doesn’t. With the edit link enabled I can still replace and save another users image while the ‘naughty user’ message is displayed.

ruud · 2007-08-22 21:50:06

Where did you add the naughty user line?

ellen · 2007-08-23 11:34:30

To the image_save and image_delete function:

function image_save() 
	{
		extract(doSlash(gpsa(array('id','name','category','caption','alt'))));
		if ($txp_user != $name) return image_list('naughty user!');
		$id = assert_int($id);

function image_delete() 
	{
		global $txpcfg;
		extract($txpcfg);
		if ($txp_user != $name) return image_list('naughty user!');

ruud · 2007-08-23 12:28:40

You need global $txpuser; at the top of both functions. And in the image_delete function, move the ‘naughty user’ line to below the line extract($rs);

Last edited by ruud (2007-08-23 12:29:53)

ellen · 2007-08-23 19:57:23

Dear Ruud,
Thank you for your help. I’ve just found out that one has to replace $name with $author and then it works as intended! Since I don’T want to replace the txp_image.php file each time when I have to delete a users image I wonder if it is possible to modify the following line in a way that the delete button is shown to the image’S author and to me as the admin?

($txp_user == $author ? dLink('image', 'image_delete', 'id', $id, '', '', '', false, array($page, $sort, $dir, $crit, $search_method)) : '')

ruud · 2007-08-23 20:13:54

Replace

($txp_user == $author ?

with

(($txp_user == $author or has_privs('admin.edit')) ?

That would give the publisher the right to delete images at all times. If you want image delete rights to all users that can also delete articles, replace ‘admin.edit’ with ‘article.delete’.

Last edited by ruud (2007-08-23 20:14:38)

ellen · 2007-08-23 20:29:19

Cooooool! Now it is perfect. This is the link to the site: Click me

Thanks again and Good night!

Textpattern CMS

Textpattern CMS support forum

#1 2007-07-29 17:59:33

Restrict author permissons

#2 2007-07-30 04:25:26

Re: Restrict author permissons

#3 2007-07-31 10:59:43

Re: Restrict author permissons

#4 2007-07-31 12:04:14

Re: Restrict author permissons

#5 2007-08-22 20:29:16

Re: Restrict author permissons

#6 2007-08-22 20:35:32

Re: Restrict author permissons

#7 2007-08-22 21:02:02

Re: Restrict author permissons

#8 2007-08-22 21:09:24

Re: Restrict author permissons

#9 2007-08-22 21:26:19

Re: Restrict author permissons

#10 2007-08-22 21:50:06

Re: Restrict author permissons

#11 2007-08-23 11:34:30

Re: Restrict author permissons

#12 2007-08-23 12:28:40

Re: Restrict author permissons

#13 2007-08-23 19:57:23

Re: Restrict author permissons

#14 2007-08-23 20:13:54

Re: Restrict author permissons

#15 2007-08-23 20:29:19

Re: Restrict author permissons

Board footer