xaraya: restricting user to view and modify own articles

Posted by Teddy Jasin
May 7, 2008

I was looking around on how to restrict users with non Administrator group to only allow them view and modify their own submitted articles. The xaraya website itself does this, however I couldn't find any info on how to do this.

At the end, decided to do my own workaround to do this rather than spending more times looking for the info, at least until I found a better workaround. Ahh... come on xaraya, you need more docs!!.

There were two methods that I wanted to do for the workaround:

  1. Copy the whole view and modify pages and the relevant templates to user mode. This is done by copying all the php scripts to the xaruser directory, copying the templates from admin to user template and make necessary changes to the scripts.
  2. Add security check on view and modify php pages that does the check whether the user is from admin group, if not restrict the user to view and modify their own articles.

I am too lazy to do the first method :), so decided to go with the second method.

First I add the check on view page, xaradmin/view.php. Somewhere after line 41, after the getpubtypes.

  1.  
  2.     $pubtypes = xarModAPIFunc('articles','user','getpubtypes');
  3.  
  4. 	/* added by TAJ 07052008 */
  5. 	/* This will only let users view their own articles */
  6. 	/* only administrators role id =4 will be able to see all */
  7. 	$role = new xarRole(array('uid' => xarUserGetVar('uid')));
  8. 	$parent = $role->getParents();
  9. 	if (!empty($parent)){
  10. 		$parent = current($parent);
  11. 		if ($parent->uid != 4){//administrator
  12. 			$authorid = xarUserGetVar('uid');
  13. 		}
  14. 	}
  15. 	/* end addition */
  16.  

The code will check if the user direct parent role is Administrators (uid = 4). If the user is not from administrators group then it will set the authorid, in which the subsequent codes will set fetch articles by authorid. As the result the view will only list articles submitted by the user unless if the user is administrators, he will see all.

Next, I added check on modify page, xaradmin/modify.php. Somewhere at line 44.

  1.  
  2. 	/* added by TAJ 07052008 */
  3. 	/* This will only let users modify their own articles */
  4. 	/* only administrators role id =4 will be able modify see all */
  5. 	if (isset($article['authorid']) && !empty($article['authorid'])) {
  6. 		$role = new xarRole(array('uid' => xarUserGetVar('uid')));
  7. 		$parent = $role->getParents();
  8. 		if (!empty($parent)){
  9. 			$parent = current($parent);
  10. 			if (($parent->uid != 4) && (xarUserGetVar('uid') != $article['authorid'])){ //administrator
  11. 		        $msg = xarML('Unable to find #(1) item #(2)',
  12. 		                    'Article', xarVarPrepForDisplay($aid));
  13. 		        xarErrorSet(XAR_SYSTEM_EXCEPTION, 'NO_PERMISSION',
  14. 		                       new SystemException($msg));
  15. 		        return;
  16. 			}
  17. 		}
  18. 	}
  19. 	/* end addition */
  20.  

In here, the codes before the check, fetch the article information. The check then compare if the article authorid is the same as the user trying to modify the article. If he's not the author or administrators, the page will render system exception error.

Now, should I do on update page as well?

Tags: , , ,
Xaraya |

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by Chris on May 13, 2008 @ 8:15 am

Hi Teddy,

What you’re after can be achieved using privileges and the special Myself role in Xaraya.

Add a privilege, select Articles from the Module: dropdown. Then select Article from the Component: dropdown. Change the level to Comment/Edit/whatever you’re allowing, then click on the ‘Specify the instances…’ link.

From there you can select the pubtype, categories, articleid and author that the privilege applies to. As mentioned xaraya has a Myself role. If you type Myself in the Author field, your users will only have the privilege for their own articles (remember you need to give them at least edit privileges for what you want, comment will only allow them to submit (post) an article).

One other note, by default, admin-modify returns to admin view, which may not be desirable. If it isn’t, over-ride the admin-modify template, and change the hidden return_url field to wherever is appropriate (back to modify, user display, user view, etc).

Hope that helped a bit,

regards

Chris

Comment by Teddy Jasin on May 15, 2008 @ 12:46 am

Hi chris,
thanks for your comment. That exactly what I wanted to do.
I will try your steps and will let you know. Thanksssssss!!

Leave a comment

(required)

(required)