Posted by DLZJ on August 31, 2009 at 5:53am
Jump to:
| Project: | Flag Friend |
| Version: | 6.x-1.x-dev |
| Component: | Flag friend access |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Issue Summary
Hi,
Greetings,
I have a problem while using Flag Friend. For instance, user A could view all his friends in "My Account" tab > "Friends" tab. However, user A could also access to user B' profile (because I have allowed them to access other user profiles) and click on user B's "friends" tab to view his friend list.
How could I make the tab invisible? I would like a particular user to view his own friend list but not seeing someone else's friend list.
Is that possible? Could you provide some guidelines for me?
Thank you.
Comments
#1
Check out the access setting within Views.
#2
Hi,
I have checked out the access setting. I have tried different settings over and over again but I still not manage to get the outcome that I want. There are lots of choice of settings for permission. Which one shall I pick?
Sorry to interrupt you again.
Your advice is much appreciated.
Thank you.
#3
Yeah, Views access settings has a lack of features. I simply added some PHP-code to to the tempalte of the view, which outputs s.th. like "sorry, you are not allowed to see this". Maybe there is a module to use PHP for views access?
#4
So as a feature, it would be good to have an Access plugin. This would be useful for a variety of other Views as well (say you only want Friends to be able to see a users content)
Luckily, Access plugins are trivial to write.
#5
changing component category
#6
I'm not likely to write this as writing Views code still makes me feel like a small child left out in the rain...
Please reopen if you plan to work on this.
#7
Reopening as this is a total no brainer. And its so simple.
#8
Any news? My users can currently see both their own, and others pending friend requests.
#9
As far as I know you don't need access plugin for that. This is doable with Views settings only.
UPD: Silly me. I'm so used to features of Panels that I thought its doable in Views too. As far as I see it's impossible :(
#10
;-) There isn't one of those. And if you think about it that makes sense right.
In order to implement you would need to know what argument to use to compare against the 'current user'. And Access plugins don't have any concept of Views arguments. And since there is not context system in Views (there is in CTools) there is no 'context: This is the current user:'.
But thats not what this issue is about, its about providing a way to restrict access to a view to friends of a specified user from arguments or otherwise.
#11
@mattiasj:
Do you have following code in "argument validator: PHP Code" setting ? As far I see, Flag Friend 1.x ships with it by default. Doesn't it work for you ?
<?phpif ($argument !== $GLOBALS['user']->uid && !user_access('administer users')) {
return FALSE;
}
return TRUE;
?>
#12
oops
#13
@Scott
Perhaps that should be argument validator then ? :) "User: current user"
UPDATE: I will include it in Flag Friend 2.x (it's very simple).
#14
#15
Argument validators say "Page Not Found". Not "Access Denied"
#16
Yes but it's not big difference. I already have implemented this and Views tabs only return 404 if you access url by typing it manually, otherwise they are hidden which is what users want :)
#17
@crea, thanks I got it working by using that validation code.
#18
Hi, I have tried this and there must be something simple I ma not grasping but have tinkered with it for ages and still cannot get restricted access. Can any one spell it out for me??! Please! Thanks!
#19
IMHO it makes a big difference if the page gives a 404 not found or a 401 access denied.
Let me explain:
We are sending e-mails (with Rules) when new friendship requests are waiting. We link directory to the user/[uid]/pending page in the e-mails.
Suppose that a user is not logged in yet on the website, but clicks on the link in the e-mail. Now the user gets a HTTP 404 not found, and thinks there is something wrong with the website or with the link in the e-mail. If he would've gotten a HTTP 401 access denied, he would've understood that he needs more/other credentials to access this URL.
Also, the 404's in this case clutter records in web statistics software like Google Analytics etc.
Ideally there should be a views action (action to take if argument is not present or does not validate) that does a "Hide view/ Access denied (401)", in addition to the currently available actions like "Hide view / Page not found (404)".
#20
Or a better way might be a views access plugin that compares the argument with the current user, see this related issue, which includes a patch for Views as well: http://drupal.org/node/305250
#21
#11 was the good suggestion for me. Why isn't it provided by default with the module any more ? Actually, it's provided for one of the display (
page_2, the one regarding Pending demands). Why not forpage_3?Regards,
#22
I've added the default argument validation php code to the (flagged display).
http://drupal.org/cvs?commit=403930
Unless Scott has plans to do this with an actual validation handler, I'm marking this fixed.
#23
Automatically closed -- issue fixed for 2 weeks with no activity.
#24
So the fix will result in a 404 Page Not Found and not a 401 Access Denied, making it impossible to give end users a good user experience when putting links in e-mails to go straight to the page with pending requests (see #19 and #20)?
Maybe there is a possible alternative: overriding the access callback with hook_menu_alter() until the necessary missing feature in Views (http://drupal.org/node/305250) gets implemented?
function flag_friend_menu_alter(&$callbacks) {
// need to override access callback of the following views as they should give a
// HTTP access denied instead of a HTTP page not found
$paths = array(
'user/%views_arg/friends/all',
'user/%views_arg/friends',
'user/%views_arg/friends/pending',
'user/%views_arg/friends/flagged',
);
foreach ($callbacks as $path => $callback) {
if (in_array($path, $paths)) {
$callbacks[$path]['access callback'] = 'flag_friend_list_access';
$callbacks[$path]['access arguments'] = array(1);
}
}
}
function flag_friend_list_access($user_id) {
global $user;
return in_array($user->uid, array($user_id, 1));
}
#25
I'd rather not put something temporary into the module that is being worked on elsewhere only to take it out again.
However, this solution is quite elegant I think and I would recommend either creating a patch here for it so that it can be referenced in a drush .make file, or putting it within it's own custom module for any site who wishes to make this distinction. I will also leave the issue open.
Thank you Cyberwolf!
#26
the other two tabs i.e pending and flagged are hidden from the friend's friend tab, can anyone tell me its settings so that i can hide another tab in such a way..
My access settings of view is similar to the two..
pl help me how to hide the tabs ?