NewsPublisher: Restricting Users to Their Own Pages

How to keep users from editing the pages of other users in NewsPublisher


If you are using the NewsPublisher extra for MODX Revolution and would like to restrict users to editing only pages they created, there's a fairly simple solution.

When you put the [[NpEditThisButton]] tag on a page, front-end visitors who are logged in will see a button labeled "Edit" on each page. Clicking on it will launch NewsPublisher with that page loaded in the editor. The secret to keeping users from editing other user's pages is to just not show them the button. This is easy to do with a simple snippet and a tag in your Template.

First, put this tag in the Template of any pages that will be editable by users:

    [[!CheckUsersOwnPage]]

Next, create a snippet called "CheckUsersOwnPage". Make sure that the snippet name is spelled exactly as it is in the tag above — snippet names are case-sensitive. Paste the following code into the snippet and save it:

    <?php
/* CheckUsersOwnPage snippet */

$output = '';

if ($modx->user->get('id') == $modx->resource->get('createdby')) {
    $output = '[[!NpEditThisButton? &debug=`0`]]';
    }

    return $output;

That's all there is to it. When MODX sees the snippet tag, it will run the snippet and replace the tag with what the snippet returns. In the snippet, we first set the output to an empty string. Next, we compare the user's ID with the createdby field of the resource. If they match, the user created the page and we set the output to a tag that will show the "Edit" button.

The end result is that if the user created the page, they will see the "Edit" button. If not, there will be nothing at all where the snippet tag was.

The only catch is that you might have originally created the pages for the users, or used an extra that created them. In that case, the createdby field may contain your ID instead of the user's ID. No users will be able to edit any pages until you reset that field. Fortunately, the Batcher extra provides a relatively easy way to do that.

In Batcher, put a checkmark next to all the pages of belonging to a particular user. Click on the "Bulk Actions" dropdown and select "Change Authors" option. Click on the "Created By" dropdown and select the user. Then click on the "Save" button. Once you've done that, the user's ID will be stored in the Resource's createdby field and the snippet will work as it should.


——

Comments (0)


Please login to comment.

  (Login)