Front Permissions not being enforced

rcadmin 23 Aug, 2013
For the Front end I have given list and read permissions to "Public" but then only "Super User" has create, delete and update permissions. That done however, anyone appears able to modify entries.

http://www.rosmini.school.nz/index.php/component/chronoconnectivity/StaffList

Not sure if this has anything to do with it but the body form my custom listing is:
<tr>
  <td>{title}</td>
  <td><a href='index.php?option=com_chronoforms&chronoform=dd_view&surname={surname}' >{surname}</a></td>
  <td>{subjects}</td>
  <td>{management}</td>
</tr>
rcadmin 24 Aug, 2013
Looking at the generated code,

index.php?option=com_chronoforms&chronoform=dd_view&surname={surname}


appears to generate

index.php/component/chronoconnectivity/StaffList/cc_edit_data/1


My guess is that "cc_edit_data" should rather be something like "cc_view_data" for everyone except super users.... just assuming :-)
rcadmin 25 Aug, 2013
After further tests, if I give public read permissions then they can also update (even if update is not set to public).
GreyHead 02 Sep, 2013
Hi rcadmin,

Is this still a problem? If you want to restrict the form then I'd add an Authenticator action there.

Bob
rcadmin 02 Sep, 2013
Hi yes that's what I will do in the end I was just interested as to why it might not work using the builtin permissions options. Thanks though, that will work.

Cheers :-)
GreyHead 03 Sep, 2013
Hi rcadmin,

I think - I'm not certain - that the permissions in CC just effect the display/access in the listing. They are not passed over to any linked form.

Bob
This topic is locked and no more replies can be posted.