[jgalak]

I have a GCrud set up where I need to allow the user to edit some, but not all, rows (depends on login permissions). 

 

Ideally, I'd like to be able to programatically turn on or turn off the buttons entirely, but I found no way to do so. 

 

I thought that maybe "callback_before_update" would let me at least display a "you can't do that" message and go back, but it doesn't seem like there's any way to cancel the update from that callback.

 

I'd rather not have to re-write the whole update functionality using "callback_update". 

 

Is there an easy fix?

 

Thanks.

[Amit Shah]

Welll there is an easy / simple fix ..

$crud->unset_edit();

///and then

$crud->add_action('Edit', '', '','ui-icon-image',array($this,'just_a_test'));

function just_a_test($primary_key , $row)
{
      //If the requirement matches
     if($true)
          return site_url('class/same_gc_method/edit/' . primary_key);
     else
          return 'javascript:void()';
}

that should give u the desired solution.. but 1 thing you make sure that you do a double check before you allow the user to edit the record. If it dose not match the criteria for being edited - u must stop him from doing so. Else - edit with the primary key is just the url.. u are not allowing the user to edit the row by not setting the url for edit but he can generate edit url for the row and manually call it..

if the logic to block him is not set - it will defy our purpose..

 

Happy Gcing :)

[jgalak]

Thanks! That should do what I need. The issue with updating directly from URL remains though - but it's not unique to this problem. Is there no way to make sure the edit screen can only be accessed through a button, not by just editing the URL?

[Amit Shah]

Welll it is tough to make 100% sure that the call is from the edit button but you surely can do 1 thing - put a check on the refereing url ... if the refering url is blank, its a direct call and u can catch him on the same.

 

If anything interesting comes up - i surely will share the same.

 

Hope this helps

 

Happy Gcing :)

[jgalak]

Ok, clearly I'm doing something wrong.  I am trying to edit "libraries\grocey_crud.php".  Around line 4377 is the update code, which has the block of code:

			case 6://update
				if($this->unset_edit)
				{
					throw new Exception('This user is not allowed to do this operation', 14);
					die();
				}

Immediately after this, I've added the following code, hoping to catch URL edits:

                $ci = &get_instance();
                $ci->load->library('user_agent');

                if(empty($ci->agent->referrer()))
                {
                    throw new Exception('Direct edit of URL is not allowed', 14);
                    die();

                }

This seems to have no effect at all.  I can still type in the URL directly.

 

Help?

[Amit Shah]

well. i wont suggest you do any modification in the library.. leave it alone..

 

what you can do is .. make use of $cruf->getState()

if the state is edit... and if the referel for the call is blank.. show him error.. else.. just do whatever is relevant for you to do.

 

Happy GCing :)

[jgalak]

Ok, I understand how to do that - didn't know about getState().

 

Unfortunately, the easy fix doesn't seem to work - when I unset edit, it seems to block entry into the edit function from my custom action.

 

However, by using getState(), I was able to trap for this here.  If someone clicks edit who shouldn't. they get an error message.

 

In case anyone else has a similair problem, here's the relevant code:

        elseif( $operation == 'edit' || $operation == 'update' || $operation == 'update_validation')
        {
            //Block direct entry into edit function
            if (!($this->agent->is_referral()))
            {
                echo "Do not edit URL directly";
                die();
            }

            //Only edit your own
            if(!($hi == $this->userid))  //This is where I test if user is allowed to edit this row
            {
                echo "You cannot edit someone else's comments";
                die();
            }

            //Do work here if permitted

Thanks for the help!