I created three Content Types designated as "nodeprofile" for users:
- Basic Contact Info (filled out by every person who registers)
- Student Contact Info (only filled out by the "Student" Member Type), and
- Parent Contact Info (only filled out by the "Parent Member Type).
Everything seems to be working well, EXCEPT: it seems that EVERYONE (including anonymous users) can view other people's nodeprofile pages (the above Contact Info pages). These pages contain confidential contact information, and should be visible only to the user him/herself (i.e. they should be able to see their own Contact Info pages) and designated roles (i.e. Teacher, Admin, etc.).
I didn't realize this until I hit the "Recent posts" link, and saw all the student and parent info when logged out. Uh oh!
Is there a way to make these pages visible and editable by their "owner" and by authorized roles?
-David
Comments
Comment #1
rconstantine commentedUnpublish them and in settings for each of those three content types, set the default to unpublished (uncheck published).
I thought something else was in place for that, so do the above for now, but I'll look into this more.
Comment #2
rconstantine commentedOkay. Seems my previous comment was the method used. Unpublished nodes will not appear in the recent posts link. At least I know new ones won't. I haven't tried changing old, published posts to unpublished to see what happens. If you use the diff module, the node titles will appear in the recent changes list, but clicking on them will give you a 'You are not authorized' message. I think the permissions that allow you to view a particular content type node that is not your own lets you see unpublished nodes of that type.
Make sense?
Looks like yet another thing to add to the README file, right?
Comment #3
misterlawrence commentedYou are a life saver, my friend!
That did it. I am closing the issue, as my needs are met. Feel free to reopen it if you think of anything else that you think is relevant.
-David