Thread

See attached image, the client wants to remove these fields. I would like to ensure these fields are always “n” in the database and prevent someone from overwriting this with a “y”. What’s the best way to do this? Is there a configuration for this in the control panel? I can easily comment the template to not show the fields, but this doesn’t guarantee that a cross-site submission to the controller won’t allow a malicious user to update their preferences. Also, is there a way to set the default values for these settings? Currently some of them are set to “y” but our client doesn’t want to provide that functionality.

One more thing while we are there, is there a way to set the default for “in_author_list” for new members to “y”, currently new members are set to “n” but I want every self-registered member to be available in the authors select menu for channel administration.

Hi, soapcreative. You’d need to make changes to the underlying structure of the database, which is pretty easy to do. You’d want to make a backup copy of the tables before attempting to make changes.

See: http://eehowto.com/howto/articles/howto-set-in-authorlist-to-defalt-to-yes

You’d so something similar for the other fields.

Does that help?

Hi, soapcreative. You’d need to make changes to the underlying structure of the database, which is pretty easy to do. You’d want to make a backup copy of the tables before attempting to make changes.

See: http://eehowto.com/howto/articles/howto-set-in-authorlist-to-defalt-to-yes

You’d so something similar for the other fields.

Does that help?

Ah ok, yes Sue that helps thankyou. There’s one more thing concerning the controller - how do I prevent the controller from accepting form submissions to set these values (ie a malicious user could inject fields into the form that I have removed from the template and as far as I can see the controller would allow them to overwrite current database settings with “y”). Is there a way to prevent this?

You’d have to modify the code to check for the sent value. If you’re really worried about it, you might want to consider creating a cron job on the server to manually set the values you desire. Would you like me to move this thread to the Development forum?

You’d have to modify the code to check for the sent value. If you’re really worried about it, you might want to consider creating a cron job on the server to manually set the values you desire. Would you like me to move this thread to the Development forum?

Ok, no need to move the thread, I just wanted to know if there was a standard way to do it. I’ve decided to modify the member module, here’s the change I’ve made:

expressionengine/modules/member/mod.member_settings.php : 1307

/** -------------------------------------
        /**  Assign the query data
        /** -------------------------------------*/

        $data = array(
                        'email'                    =>  $_POST['email'],
                        'accept_admin_email'    => (isset($_POST['accept_admin_email'])) ? 'y' : 'n',
                        'accept_user_email'        => (isset($_POST['accept_user_email']))  ? 'y' : 'n',
                        'notify_by_default'        => (isset($_POST['notify_by_default']))  ? 'y' : 'n',
                        'notify_of_pm'            => (isset($_POST['notify_of_pm']))  ? 'y' : 'n',
                        'smart_notifications'    => (isset($_POST['smart_notifications']))  ? 'y' : 'n'
                      );

Changed to

'accept_user_email'        => (isset($_POST['accept_user_email']))  ? 'n' : 'n',
                        'notify_by_default'        => (isset($_POST['notify_by_default']))  ? 'n' : 'n',
                        'notify_of_pm'            => (isset($_POST['notify_of_pm']))  ? 'n' : 'n',
                        'smart_notifications'    => (isset($_POST['smart_notifications']))  ? 'n' : 'n'

Glad you’ve got a work around that works for you. Don’t hesitate to post again as needed.