Security Best Practice for Editing?
Permalink
Security Best Practice is to grant the lowest level of access to get a task done.
In the case of the Profile Form, if editor rights are given to a user,he has total control to add/delete/edit anything on the page in any block.
While it is true that a user can update the content of the displayed fields in the Profile form without Editor Rights, he loses all Java script functions like the pop-up calendar and CSS formatting since it only gets loaded if the user is an editor.
Try it out! Create custom attribute of type Date/Time in the User Attributes.
Create a user without editor rights and log-in and try to edit his profile, no pop-up calendar!
Log-in as a user who has Editor rights and you will see a pop-up calendar when clicking in the date field.
What if all you want to allow is editing content in a single block and not allow add/delete of blocks in a page?
OR
You have different users responsible for different blocks on the same page?
An example is an executive dashboard with Financial data, sales data and HR data all supplied by different content providers.
In the case of the Profile Form, if editor rights are given to a user,he has total control to add/delete/edit anything on the page in any block.
While it is true that a user can update the content of the displayed fields in the Profile form without Editor Rights, he loses all Java script functions like the pop-up calendar and CSS formatting since it only gets loaded if the user is an editor.
Try it out! Create custom attribute of type Date/Time in the User Attributes.
Create a user without editor rights and log-in and try to edit his profile, no pop-up calendar!
Log-in as a user who has Editor rights and you will see a pop-up calendar when clicking in the date field.
What if all you want to allow is editing content in a single block and not allow add/delete of blocks in a page?
OR
You have different users responsible for different blocks on the same page?
An example is an executive dashboard with Financial data, sales data and HR data all supplied by different content providers.
I'm using 5.4.1
It has to do with the fact that when the Profile page loads, it first loads header_required.php and page_controls_header.php
Even if advanced permissions is used, unless edit rights are granted to the page, the page_controls_header.php will not load the JavaScript and CSS files to allow things like the pop-up calendar to work or to use CSS styles.
While this is ok for users that need the ability to both add/remove blocks and edit the contents on the page, it doesn't protect against users who need to ONLY edit content and should Not be able to add/remove blocks or changes any properties of blocks.
It has to do with the fact that when the Profile page loads, it first loads header_required.php and page_controls_header.php
Even if advanced permissions is used, unless edit rights are granted to the page, the page_controls_header.php will not load the JavaScript and CSS files to allow things like the pop-up calendar to work or to use CSS styles.
While this is ok for users that need the ability to both add/remove blocks and edit the contents on the page, it doesn't protect against users who need to ONLY edit content and should Not be able to add/remove blocks or changes any properties of blocks.
also take a look at advanced permissions