Hi, I’m building out a channel form that allows users to create 1 singular profile page for themselves. They login with a form and the return is:
{exp:member:login_form return="site/show-faculty-bio"}
they populate a form and I use:
{exp:channel:entries channel="faculty_bio" author_id="CURRENT_USER"}
they can edit the form and I use:
{exp:channel:form channel="faculty_bio" return="site/show-faculty-bio" entry_id="{segment_3}" author_only="yes" include_jquery="no" secure_action="yes" secure_return="yes" unique_url_title="yes" }
and they can view the form and I use:
{exp:channel:entries channel="faculty_bio" author_id="CURRENT_USER"}
.
If I manipulate the url for say mysite.com/site/createform
and add a 2 after it mysite.com/site/createform/2
it kills the logic of the page and who can view it? I don’t have code in the createform template reliant on segment_3 so even if someone adds a segment 3 it should throw a 404 right? I also have strict urls enabled.
Also when I test access issues I noticed If I login to the channel form with 2 users and move between urls it gets all messed up in the template logic .. what content is shown to what user and to which user the conditionals apply.
Access to the form content seems really insecure so hoping someone may have examples or advice on ensuring only the users you want to have access to your forms have that access.
I was hoping parameters like author_id="CURRENT_USER"
and author_only="yes"
would be effective. Anyway to handle users adding mischievous url segments or forcing 404’s on them?
Thanks
This post https://expressionengine.com/forums/topic/247867/why-no-404 helped … references a url that u can find using the wayback machine. Don’t have permissions to post url here.
web[dot]archive[dot]org/web/20120626185832/[h../]joviawebstudio[dot]com/index_ee[dot]php/blog/guide_to_404_pages_with_expressionengine/ …fix the stuff between [ ]
Not sure if this is the best approach, but the way I solved this is by not showing the form unless it’s the proper segment.
Something like this
{if segment_2 != '' AND segment_3 == ''}
You can force your last segment to match “createform” but only if segment 3 is empty.
Or this?
{if segment_2 == 'createform' AND segment_3 == ''}
That way if someone adds something after /site/createform/somethinghere
It would deny access. You could also make sure last segment is “createform” but I think you get the idea which is denying access to anything after your segment.
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.