I am urgently needing to implement a modification to ensure that users can only modify their own links. I am about to install and implement the fully functional site. My present site navigation directs people through the user log-in page before they reach the 'add' and 'modify' pages.

I would like to be able to do the following:
1. Ensure that only registered users can add links- and record which user the link belongs to.
2. Allow the logged-in user to search for a list of links that belong to them (Titles and dates only) and select which link to modify. (repeating this stage as often as necessary.
3. Ensure that no-one can modify links that do not belong to them.

I have thought about the following modifications:
1. Having the logged-in user's username entered into hidden fields within the 'add' form and stored with the link record.
2a. Having the logged-in user's username entered into hidden fields within a 'search' type form.
2b. Having a search results page with (Titles and Dates) of the links belonging to that user- which can be selected using a radio box. or similar?
2c. These hyperlinks (2b) lead to a 'modify' form which again records the username via hidden fields.
2d. Stages 2a-2c can be repeated as often as required until all records are modified.

Obviously all this is a lot of work- so if someone could tell me how to make the username field appear in a hidden field, I can also work on a solution.

Lots of questions for a Saturday morning from here in snowy Scotland.
Thanks for taking a look at my message.
Rennie




[This message has been edited by lcnl (edited December 04, 1999).]

Watch your link.html; there you can play with a hidden field; try

<input type=hidden value="<%new_field%>">

Robert

[This message has been edited by Robert (edited December 04, 1999).]

Thanks Robert,

I am obviously out of my depth here- before I go any further I have a problem with modify.cgi. Not all of my entries have URLs- some only have detailed pages.

I have tried altering modify.cgi to find links according to the ID but it will not work- I must be missing something? (I replaced all 'URL' in sub process_form with 'ID' and then 'LinksID' without success. It is unable to find the links.

Rennie

It seems one newbie meets another :-)

As i understand your prob right, you can do the following:
Kill the validate for the URL, so it can be empty. Then write in home.html; something like <%if URL%><a href= ...> - look for the right syntax inside it.
So, if you have an entree without an url, you left the field empty and it will get no link on it.

With this i do a small database for adresses in our intranet.

Robert

  
If this is true, then the cookie is stored in the system, and you can use that to check who they are. You can use that -- or you can also add a password so that they have to enter a password which matches the stored password in the database to modify the link. How much you want to do is up to you... but it should not be much code to make it work, unless it's already in there --- <G> ... I am a bit behind checking out all the features of the 1.1 especially the users.


This is a bit more complicated, since the links output uses the same template. BUT this is where "page.cgi" could possibly come in. Once the user is logged in, you could have the link pointing to page.cgi and a different template set, that has a different link.html file

Again, I can't give specifics since I have not checked out what the user system does.


This should not be hard, it's like #1 ... if the cookie and password match, they can edit, if not, they can't. It means storing the userid and a password or just a password with the links...


I think I touched upon workable solutions with what I know about links 1.0...1.1b3 and what is possibly in 1.1 now.


I don't think this is a lot of work... it depends on how the user function works, and might just mean adding a field to the links database so the system inserts the information from the cookie into it.

Alex posted some information on using the cookies ... and I might have gotten them into the FAQ

http://www.postcards.com/FAQ//LinkSQL/

If not, be assured they will make it there ...

Yep... it's there...

www.postcards.com/FAQ/LinkSQL/LinkSQL_-_Modifications/

It links back to here... but I could find that one easier.

Start there... see if that helps.



[This message has been edited by pugdog (edited December 04, 1999).]

about the user thingy.. it'd be an easy addon to add.cgi..

you just check for the users cookie or session id.. and if it doesn't exist make them login..

i'll make some things for this later on (later on)

jerry

Thanks for the help everyone.

I'm going to look at using the cookies and see how I get on.

Rennie

1. To confirm a user is logged on, add this to the beginning of the script:

my $s = $in->param('s') &#0124; &#0124; $in->cookie('s');
$USER = &authenticate ($s);
if (! defined $USER) {
print $in->header() if ($in->param('show_attach'));
&site_html_error ( { error => "Invalid session, please log in again." });
}

If the user is logged in then you will have access to all his info in $USER which is a hash reference. So to get his name just do $USER->{Name}.

2. Assuming that you have added a field called Username then just do:

my $db = new Links: BSQL $LINKS{admin_root_path} . "/defs/Links.def";
my $recs = $db->query ( Username => $USER->{Username}, ww => 1 );
if ($db->hits) {
foreach my $rec (@$recs) {
...
}
}

3. Just add a check that $rec->{Username} eq $USER->{Username} and you should be ok.

Hope that helps,

Alex
my $user_record

it's been awhile.. but recently i was doing someone's site and they wanted this mod.. so i had made it..

check out

http://www.pdamania.com/modify.cgi

login w/

u: jsu7785
p: test

this user has one link to modify..

then go to:

http://www.pdamania.com/user.cgi?to=/modify.cgi

login w/

u: pdamania
p: test

this user has 5 links (it may be more if I add more later on..)

these links were added through the administration.. however i changed add.cgi to force you to be logged in and it captures your username when you submit the link.. it then puts it into the Username field on the link.. contact name and email are unknown because i took those fields out and i am using them from the user database..

jerry

Jerry,

Totally cool!

Can't wait til you make them available.

I like your templates too! I haven't had time to come up with a graphics theme, but I hope to early next year.

BTW... the modified record still goes into the Validate database, right? You aren't allowing users to change their exposed links are you?

I guess that would/should be a flag in the edtors section, to allow a user to edit everything, but the average user should be able to modify their links, but still have to have the modification approved....

I know that people would abuse the ability to modify their own links -- eventually.

------------------
POSTCARDS.COM -- Everything Postcards on the Internet www.postcards.com
LinkSQL FAQ: www.postcards.com/FAQ/LinkSQL/









[This message has been edited by pugdog (edited December 29, 1999).]

yep.. modifies go into validate.. so does the deletes.. it took me awhile to make the delete. i had to mod the Admin_HTML.pm but the most annoying thing was that i couldn't use editor.cgi to allow Mode to be Validate|Modify|Delete

cause it didn't change it to enum('Validate','Modify','Delete')

what templates?

they are like bare except for the table! hehe.. only if i could open my site like that.. then it'd save me weeks working with HTML..

also.. pugdog.. do you know if there is a image editor that allows you to TOTALLY rotate an image.. like in ANY direction.. 3 dimensionally.. like i can drag a 2d image so that it's just a horizontal or vertical line.. i am trying to make a logo with the effect that the top of it is further away than the bottom..

jerry

[This message has been edited by widgetz (edited December 29, 1999).]

i forgot to mention that it's pretty secure..

if the user does not match the user when the form is processing it will return "You can not modify this link!"

also.. there are shortcuts.. like

if you logged in as pdamania..

http://www.pdamania.com/modify.cgi?ID=1001

jerry