Private Profile pages

Permalink 3 users found helpful
I have a membership site and want to allow users to view and edit their own profile pages, but I do not want those profile pages to be accessible to the public as they have private information. I know I can remove links to those pages, but one can still access them if they know what to put in a url.

My site is currently just using the default theme and is located here:http://csik9.net - so custom theme issues should not pertain.

What I have done so far is this, which is as close as I could get, but cannot figure out how to only allow a logged in user to only view his own profile:

I have done the following:
- Dashboard>Users/Groups>Login/Registration - I enabled Public Profile.
- Dashboard>Users/Groups>User Attributes - Marked my custom attributes to display in public profiles and to be editable in public profiles.
- Went to site/index.php/profile and edited page permissions only for admin and the user group I created for the site members.

I can still go to site/index.php/profile/-/2 (2 being a profile number)and view other profiles and want that info only private for the person whose profile it is.

Ques 2. Could someone please tell me the proper way to add a link to the main navigation bar on a site, to a logged in users profile page on the front-end. In the sitemap it seems to be listed as a "System page", that is, only shows up on the sitemap when I tick the box to show system pages. How do make this page so that I can have it included as a link on the main navigation as it seems to be excluded by some default way?

Thanks

uswebdesigner
 
ThemeGuru replied on at Permalink Reply
ThemeGuru
Simple.

Enable advanced permissions and just lock the profile pages to only registered users or users in a certain group. (That should work or else you can always edit the single pages. Remember copy them from: /concrete5/single_pages to: /single_pages. That way you can edit them and still update the core without losing all your hard work!)

As for the link what I do is hardcode it into the actual theme and make sure when the user is logged in they see "My Account/Profile" and then they are not logged they see Sign In.

<?php global $u; 
if ($u -> isLoggedIn ()) { ?>
//Do Something
<?php } ?>
uswebdesigner replied on at Permalink Reply
uswebdesigner
Thank ThemGuru. Unfortunately that is what I have done so far, but limiting access to logged in users or a group still allows all logged in users or users of that group to view all of the profiles. What I need is an automated way to allow only users to view only their profile, and not others.

Automated meaning, not having to go in for every user and individually set permissions, which would be way to admin heavy. There has got to be a way. I figure any decent member site that would allow users to be able to edit their profile would need this.

2. And thanks for idea of hard coding in the link for the Member Profile page. I was hoping that there was a more integrated approach to do this, such as allowing those pages to Not Be Excluded from the nav.

So any further help still requested. Thanks so much.
frizzleb replied on at Permalink Reply
frizzleb
My apologies if I misunderstand but inst a profile page dynamically generated so if an unauthorized user did access the profile surely they would not be able to make changes because the User object is specific to an individual user.

I believe any changes would require the User object and by default the current user is set to the user object. This would mean that if you access the profile you could only change your own data. And then you can simply stop non-registered from accessing the profile.

If you want to stop users accessing each others profile I suppose you could grab the ID of the users profile about to be accessed and if it is not the same as the logged in user redirect back to the profile.

Regards Frazer
Shotster replied on at Permalink Reply
Shotster
> I have a membership site and want to allow users to view and edit their own profile
> pages, but I do not want those profile pages to be accessible to the public as they
> have private information.

Hi David,

I think I'd take a different approach. Rather than enabling public profiles, which is precisely what you said you don't want to do (i.e. you don't want the public to be able to access other members' profiles), I would disable that option and then make some modifications to ensure that a logged-in user could see only their profile.

One way (which I've tried but not tested extensively) would be to override the profile controller file by copying...

/concrete/controllers/profile/controller.php

...to...

/controllers/profile/controller.php

...and then changing the view() method to something like the following...

<?php
   public function view($userID = 0) {
      $u = new User();
      if(($userID > 0) && ($userID != $u->getUserID())) {
         header("HTTP/1.0 404 Not Found");
         $this->render("/page_not_found");
      }
      $html = Loader::helper('html');
      $canEdit = false;
      if ($u->isRegistered()) {
         $profile = UserInfo::getByID($u->getUserID());
         $canEdit = true;
      } else {
         $this->set('intro_msg', t('You must sign in order to access this page!'));
         Loader::controller('/login');

Again, this has not been thoroughly tested, but it might get you thinking along different lines.

Then, it's just a matter of putting a link to...

/index.php/profile

...somewhere in your theme - either in the nav or hard coded somewhere in the theme.

-Steve
misebaz replied on at Permalink Reply
misebaz
Hi uswebdesigner,

Did you ever get to figure this out? I am trying to do something like this now. Not sure I follow exactly what Shotster is saying. I am no a coder and am very new at this.

Thanks

Barry
uswebdesigner replied on at Permalink Reply
uswebdesigner
That project of mine went away and I never finished it. It was a while ago. Sorry I can't be of much help.
rainmaker replied on at Permalink Reply
rainmaker
Hey if you use the code above, it works. I just tried. :)