ProForms - Powerful Extendable Forms

Advanced Search

Filter form display block by associated user (prevent users from editing other's records)

Permalink Browser Info Environment
I've noticed that it is possible to view/edit other people's form submissions by simply changing the entry ID number at the end of the review URL (ie,www.www.mysite.com/form/?entryID=5).... I want to be able to prevent users from editing other people's form submissions.

The only way I could think to accomplish this is to create a custom proforms_display template and modify the custom view.php to only show a record when the associated_user ID equals the ID of the user currently logged in. I can get the user ID of the logged in user, but I can't figure out how to get the associated_user attribute from the current proforms item.

And, there may a better way to accomplish this all together - I'm welcome to any ideas!
Type: Discussion
Status: New
kspitzley
View Replies: View Best Answer
RadiantWeb replied on at Permalink Best Answer Reply
RadiantWeb
You should be able to use ProformsItemID. so something like this:
//get user id
$u = new User();
$uID = $u->uID;
//get proforms object
$pfo = ProFormsItem::getByID($ProformsItemID);
//get associated user
$formUser = $pfo->getAttribute('associated_user');
if($formUser == $uID){
     //form info
}else{
    //not yo form!
}
kspitzley replied on at Permalink Reply
kspitzley
Thank you for the quick response! I will try that and report back.
kspitzley replied on at Permalink Reply
kspitzley
This worked!! And, now I know how to call in other form attributes...I'm so happy.

Here's exactly where I put everything in case there are other newbies like me looking for the same thing:

Around line 20, after 
<?php    if($ProformsItemID){ ?>
      <input type="hidden" name="ProformsItemID" value="<?php   echo $ProformsItemID?>"/>

I put:
<?php    
      $u = new User();
      $uID = $u->uID;
      $pfo = ProFormsItem::getByID($ProformsItemID);
      $formUser = $pfo->getAttribute('associated_user');
      ?>


Then, around line 103, after the </form> close, I put:
<?php }else{ echo t('You do not have access to this form record'); }?>
RadiantWeb replied on at Permalink Reply
RadiantWeb
I'm just happy that someone understands the concept of custom views and tailoring your own views to take full advantage C5 apps!

ChadStrat

concrete5 Environment Information

Browser User-Agent String

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You have not specified a license for this support ticket. You must have a valid license assigned to a support ticket to request a refund.