Hi Sue, I appreciate the members/logged in nature of the form. My main concern is if someone decides to interrogate or wreck the database through it. My impression was the EE folks hadn’t allowed editable forms yet due to security concerns. Might be wrong, but it’s in my nature to double-check!

Oh, and to use formatting buttons, add

somewhere in the form, and then add

to each field to make the fields clickable and thus able to accept button code.

Thanks Simon. I’m not sure about the security concerns.. Rick or Paul could probably elaborate on that.

Great tip about adding the {formatting_buttons} to the edit form. I didn’t add them to my sample. Now I will.

This is going to be really, really handy
Am also wondering about the security.

I vote for this topic as topic of the year!

=)

As a security precaution, you could hard code the status to be something like “Pending” or “Edited” or whatever status you want.

If the editor is a superadmin, you could add Open and Close to the list.

You’d need to add additional statuses to your Status Group and allow your Member group to access them.

It’s the same sort of thing you can do to the SAEF (standalone entry form).

It would be the same security concerns for that form. The only difference is that you’re pulling in the current values for an existing entry instead of adding a new entry.

Hey! Glad you guys are going to town on this plugin. Here’s the reasoning on security.

Of course we all know that a plugin is not considered secure until pMachine approves it. This one has not yet been approved nor has it yet been submitted for approval.

The plugin itself doesn’t place anything in the database. It only retrieves from the DB. So the security concern is about using the stand-alone entry form as an edit form. It’s possible to call an entry that does not belong to you into the form. If you consider this a security risk, then you can wrap this conditional around your entry_form tag pair:
{if author == username}{/if}
I haven’t tested it, but it should work to prevent someone from editing an entry that is not theirs.
Otherwise, the edit form is just as secure as the entry form supplied by pMachine. It is the same form afterall.

Thanks again for checking it out.

mk

Solspace, that’s good feedback. I’m happy to go with that, and the ownership tags make good sense.

You’re gonna make a lot of people happy with this plugin.

Thanks for helping out Simon. Make sure you let me know if you have any trouble with the rascal. mk

Uh, is that a plugin tag?  Cos that conditional isn’t a general conditional that’ll work….

Thanks LisaJill. Always test. Murphy says so.

v1.1 is ready now. It contains a way to determine if the current member is the author of the entry. You can show a message if the member is not the author.
Good stuff folks. Thanks all.

www.solspace.com/software

mk

I don’t suppose you’d separate that into a separate plugin? I requested one awhile ago and no-one liked me enough to make it….

LisaJill, what do you need a standalone plugin to do? The function that comes with the plugin is basically checking for the session member_id matching the author_id in exp_weblog_titles.

If your intention is to allow users to edit their own articles, you could use the whole plugin to do so.

Solspace, that is brilliant. Just tested it with another login. Works perfectly. Quick work!

Sue, Lisa: So, inside weblog:entries tags elsewhere, the new ownership tags can be used to only show an edit link if you are the author? For example, in an Archive list, only your own entries would have an edit link to the SA Edit form?

I imagine that’s right (too late to think about it). Top stuff.

LisaJill,

Solspace sells Guinsu knives too you know. Sounds like you need the handy dandy “helper” plugin. It’s the Solspace swiss army knife. But it’s a mofo to document. Wanna stab at it? Need anymore blade metaphors? Sue’s rapier wit maybe?

mk

hrm?  I just need a way to compare the author to the currently logged in user.  All your stuff deals with forms, I don’t need anything that complicated. =+)

Bleh, so much complication for one function.  Ok, thanks Simon. =)

I look forward to trying these out. Is it possible to make the stand-alone editor work with one of the WYSIWYG editors?

I’ve copied the code from the sample_edit_form.php, into the body section of a template. I then changed

{exp:form_helper:member_is_author author_id=”{author_id}”}

to

{exp:form_helper:member_is_author author_id=“1”}

Is there anything else I need to change (and was that change correct) to conform the sample code to my site? (Currently I get a blank screen when I browse it.) Thanks in advance for the info.