Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Permissions - Profile: Edit not working as expected
I'm not sure if I've discovered a bug or if I don't understand how the profile permissions works. I tried setting one of my roles so that the Profile "Edit" box is not checked but the "View" button is checked (see attachment.) I figured this configuration would allow users to view their profile but not edit it. However, even with the "Edit" box unchecked, profiles are still able to be edited by users assigned to this role.
If I uncheck the "View" the box is does prevent the user from viewing the profile. However, the "Edit" box seems to have no impact. Can anyone shed some light on this?
I'm using Vanilla 2.12b and the profile extender is active.
0
Comments
if you want to change the edit behavior
change at line 301 in applications/dashboard/controllers/classprofilecontroller.php change $this->Permission('Garden.SignIn.Allow'); to $this->Permission('Garden.Profiles.Edit');for preferences the same thing at line... 745
removing picture by signin allow. change if you want at 905
currently alot is controlled by signin allow and not as you @meshugy expect.
BTW, did you check github if issue was filed. since you are using vanilla 2.1b2, you are by defacto a developer and it is assumed you do this and file github issues.
activity is controlled by profile view.
showing activities can be controlled for all via
$Configuration['Garden']['Profile']['ShowActivities'] = FALSE;
Since i have no idea if this was the plan or an overlook hard to tell if it is a bug or not.
@Todd
also NON-role-based miscellaneous config settings.
in config.php editing pictures controlled by anyone $Configuration['Garden']['Profile']['EditPhotos'] = FALSE; usernames by anyone $Configuration['Garden']['Profile']['EditUsernames'] = FALSE; editing email by anyone $Configuration['Garden']['Profile']['EditEmails'] = FALSE; activity is controlled by profile view. showing activities can also be controlled for all via config for non-role based $Configuration['Garden']['Profile']['ShowActivities'] = FALSE;otherwise controlled by
Signin allow checkbox in dashboard permissions for role.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
IIRC, users are able to edit their own profiles even if the
Garden.Profiles.Editpermission is disabled, because that permission is for allowing users to edit other users' profiles.If this is how it works, then it's similar to how the
Vanilla.Discussions.Editpermission works in that it allows users to edit other users' discussions. Revoking the permission doesn't affect the ability to edit their own discussions besides the edit time limit setting.It's possible to redirect users on certain pages who don't have a specific permission or are in a specific role with a plugin.
Add Pages to Vanilla with the Basic Pages app
I think you are partially correct shadowdare.
it may be the intent but that is not the case.
I'm not so sure.
Much of the control affecting others profiles could easily be controlled by
Garden.Users.Edit
The profilecontroller has various inconsistencies as to what you can do vs. what you can't do.
e.g.
setting a picture and thumbnail seems to be controlled via
// Permission checks
$this->Permission('Garden.Profiles.Edit');
not much else.
the whole controller needs to be gone through with a fine-tooth comb me thinks.
but a plugin add a tighter control would be the best scenario as you say to fine tune permissions with some of the inconsistencies fixed, so it edit acts the same manner in the garden.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@peregrine thanks, your suggestion worked perfectly.
Before I get hit with a frying pan.
Thanks, but i want to point out that modifying the core and changing permissions is not a great idea. I was more pointing it out if you wanted to post on github or if Todd had comments.
It's also a double-edged sword - while you restricted abilities to edit, etc for users with non-profile edit privs. At the same time you may have also unwittingly opened up privs for people who are not admins that now do have profile edit privs in their role.
So bottom line - avoid, but test test test everything if you do give a role besides admin with profile edit privs.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@peregrine thanks for the advice....I figured there may be some serious implications in making a change like that so I went through and checked everything pretty thoroughly. Seems OK....
it may be good now, but if they alter what
Permission('Garden.Profiles.Edit'); does next version you may have something completely different.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@peregrine I changed them back. If I continue to explore this option, I'll see if I can find a safer way to do it. thanks...