× Please submit new Bug Reports on GitHub: github.com/Jensen-Technologies/component-creator-issues/issues

Login user can view other record which is not created by the same user

pred 3 rokmi 11 mesiacmi #9811 od Lee Chen
Login user can view other record which is not created by the same user bolo vytvorené Lee Chen
Hi everyone

I am wondering whether anyone has same problem as mine. The code below suppose if the user is Super User or login user id matches record created_by user id. However, if I changed the table id etc from 9 to 8 on the link /index.php/en/component/orders/order/9 to /index.php/en/component/orders/order/8 , where record 8 is not created by login user and still be able to view the record details.

if(empty($result) || $this->isAdminOrSuperUser() || $table->created_by == JFactory::getUser()->id){

}

any ideas?

many thanks.

Prosím Prihlásiť alebo Registrácia pre zdieľanie konverzácie.

pred 3 rokmi 10 mesiacmi #9814 od Glenn Arkell
Odpoveď od Glenn Arkell na tému Login user can view other record which is not created by the same user
Hi Lee,
You possibly have already solved this but just in case . . .
In the site/views/order/view.html.php file you can add an extra check here before the $this->_prepareDocument(); such as
if ((isset($this->item->created_by) && $this->item->created_by != $user->id) || $this->isAdminOrSuperUser()){
throw new Exception(Text::_('JERROR_ALERTNOAUTHOR'));
}
Hope this helps. Cheers.
Glenn

Prosím Prihlásiť alebo Registrácia pre zdieľanie konverzácie.

Čas vytvorenia stránky: 0.048 sekúnd
Funguje na Kunena fórum

We use cookies so that you can place orders and we can provide a better service. You can control the use of cookies at the individual browser level. If you reject cookies, you may still use our website, but your ability to use some features or areas of our website may be limited.

Learn More