Bug #23607 See Comments

Channel Form not allowing non Super Admin members with the same permissions to create new entries.

Version: 4.1.3 Reporter: grantmx

Steps to reproduce: GIVEN, I have registered user that has been assigned to a user group with the same exact settings as a Super Admin. That user then visits a given page and sees the Channel Form I created. That user then fills out the form, and then submits the form. The form throws no errors in the server logs, nor visible PHP nor triggers any errors in the EE page, but simply takes the user to the return page I specified in the form, HOWEVER, a new entry is for that user is NOT created.

IF, however, I add that user to the Super Admin user group, and that user visits the Channel Entry form, fills out the form, and submits the form, it takes them to the return page I specified in the form, AND the system creates a new entry for that user.

Using a simple channel form setup:

{exp:channel:form channel="news" return="includes/test/thanks" }
   <input name="title" type="text"><br>
   <input name="news_description" type="text"><br>
   <input type="submit" value="Submit">
{/exp:channel:form}
  • I’ve omitted and added both the url_title and entry_id parameters
  • I’ve added a hidden status field
  • I’ve ensured that the user has the correct permission to add, edit, delete an entry in that given channel.
  • I’ve even copied the Super Admin member group settings to this member group, still no luck.

This works in EE 3.5.10 fine. However doesn’t work in EE 4.1.3

  • Can you double check the user group has permission to access the status? And if you try posting as that user in the control panel, do you get an error?

    Robin Sowell
    16th May, 2018 at 10:18am
  • Also, before doing more testing, go ahead and update to the latest- 4.2.1.

    Robin Sowell
    16th May, 2018 at 10:19am
  • Hey Robin -

    I’ve updated EE to 4.2.1 (great new update feature BTW!) and I aim able to login to the CP as the user and post an entry fine. But posting in the channel entries form still doesn’t work.

    BTW - once the user has an entry they are able to edit and delete the entry fine. Its just that initial creation of a new entry that isn’t working.

    grantmx
    16th May, 2018 at 11:47am
  • You’re missing a url_title field, which is required. I’m guessing if you add the error variables to your template you’d see that error.

    Derek Jones
    16th May, 2018 at 12:32pm
  • If its required then that be the source if nobody could submit the form, but Super Admins can submit. This is my code:

    {exp:channel:form 
     channel="cv"
     return="profile/curriculum-vitae/"
     use_live_url="no"
     include_assets="no"
     include_jquery="no"
     site="ycms"
    }
    
    <input type="hidden" name="title" id="title">
    <input type="hidden" name="url_title" id="url_title">
    <input type="hidden" name="entry_date" value="{entry_date}">
    
    ...
    
    {/exp:channel:form}
    grantmx
    16th May, 2018 at 12:55pm
  • The above, was my actual form. The little one above was my tester AND it works without the url_title field in EE 3.

    grantmx
    16th May, 2018 at 12:57pm
  • It does not work in EE 4.2.1 with the exact same setup of the channel, member and member group.

    grantmx
    16th May, 2018 at 12:58pm
  • So, just to recap:

    • I’ve tried with and without the URL_title field and it doesn’t work in EE 4.2.1 but it does work in EE 3.5.1
    • only Super Admins can create new entries using channel forms in EE 4.2.1,
    • Given a user in a member group with the same exact permissions as a Super Admin in EE 4.2.1, can create a entry in the CP but cannot create an entry in the Channel Form, however CAN edit, update and delete an existing entry.
    grantmx
    16th May, 2018 at 1:03pm
  • I’m just not spotting any reason it would behave differently for superadmin vs other users.

    BUT it should allow them to omit the url title. Try this- in system/ee/EllisLab/Addons/channel/libraries/channel_form/Channel_form_lib.php on line 1731 add ->compile(); to the end of the line, so it looks like:

    $_POST['url_title'] = ee('Format')->make('Text', ee()->input->post('title', TRUE))->urlSlug()->compile();

    That will make it generate a URL title if it can. But- I still think something else must be going on. If it does still fail, post back the whole test template that it fails for. Something I can copy/paste and know I’m testing exactly what you’re doing.

    Robin Sowell
    16th May, 2018 at 1:30pm
  • And on double checking- that code should already be in there! So let’s go to the next step- what’s the exact form you’re using on the test page- the simplified one. And make it as simple as you can- no fields that aren’t needed to have it go through for the superadmin.

    Robin Sowell
    16th May, 2018 at 1:40pm
  • The test form I used in both EE 3 and EE 4 was this one below, I’ve added nothing else to the template.

    {exp:channel:form channel="news" return="includes/test/thanks" }
       <input name="title" type="text"><br>
       <input name="news_description" type="text"><br>
       <input type="submit" value="Submit">
    {/exp:channel:form}
    grantmx
    16th May, 2018 at 1:45pm
  • So just to clarify, I don’t think its the URL title, but how EE is not allowing non Super Admins to create a new entry via the entry form.

    grantmx
    16th May, 2018 at 1:55pm
  • Sharing some images I shared in EE slack channel today:

    • Channel Settings: https://slack-files.com/T04CUNNQH-FAQ7P6GV7-648dc970dc
    • Member settings: https://slack-files.com/T04CUNNQH-FAQLJNZ99-0344e84069
    • HTML Output (big original form): https://slack-files.com/T04CUNNQH-FAQQDJXGA-d7ae5b2fa4
    grantmx
    16th May, 2018 at 2:00pm
  • So just to clarify, I don’t think its the URL title, but how EE is not allowing non Super Admins to create a new entry via the entry form.

    That you submitted a Bug Report to our site shows that’s not the underlying issue. 😉 But thanks for the extra details. I think Robin has found an errant interaction with URL title creation and error/validation, which she’ll update this ticket on when she’s confirmed.

    Derek Jones
    16th May, 2018 at 2:00pm
  • No problem.

    grantmx
    16th May, 2018 at 2:03pm
  • Boy- I still can’t replicate. I used

    {exp:channel:form channel="blog" return="home/form/ENTRY_ID" entry_id="{segment_3}"}
       <input name="title" type="text" value="{title}"><br>
       <input name="news_description" type="text"><br>
       <input type="submit" value="Submit">
    {/exp:channel:form}

    I could post as a superadmin and then I created a non-superadmin with very limited permissions, but permission to post/edit in ‘blog’. And the post goest through without an issue.

    The ones that fail- are they non-logged in guests? Or are they logged in members in a non-superadmin user group? I was testing logged in, just not as a superadmin.

    Also- double check the status. Looks like the form should use the channel’s default status. Triple check that the user group in question has permission to use that status.

    If nothing leaps out at us from doing that, can you drop me an email at support@ellislab.com? Just mention it’s a bug issue for Robin.

    Robin Sowell
    16th May, 2018 at 4:44pm
  • I think I found a clue. When I login to the CP under that user in the non-superadmin group that has exactly the same permissions as super admin and post in the CP under that channel, I’m noticing that although the entry is created the status colum for that entry on the Edit page is blank.

    digging deeper.

    grantmx
    17th May, 2018 at 5:59am
  • That definitely sounds like a clue.

    For that channel, go to ‘Developer- Channels- Channel Manager’- look in ‘Statuses’ and for each checked status for that channel, see if the user group has permission to access it.

    I’ll also see if I can reproduce- it should be giving you an error if you have an invalid channel, so something still seems weird. I’d like to reproduce it locally if I can.

    Robin Sowell
    17th May, 2018 at 10:22am
  • No luck on my end, if I don’t give my non-SA permission to use any selected channels, I get a system error message:

    > The form you submitted contained the following errors > Status: Invalid Selection

    Check in the Channel settings too- let’s see what the default status is.

    Though I did try setting the default to a status that I then removed from that channel and I still get the invalid selection error.

    Robin Sowell
    17th May, 2018 at 10:28am
  • Hmmm.. Its still not working. I’ve fixed the blank status issue, but for me If I don’t give a user access to edit the channel, the channel form doesn’t even show for them, so I am not able to generate any type of errors to find out what is going on.

    grantmx
    17th May, 2018 at 11:39am
  • Just to sum up for anyone else who runs into this, it turned out the spam module was returning positive for possible spam, so those entries were going into the spam module for manual review. Since superadmins don’t get checked, they didn’t run into the same issue.

    Robin Sowell
    17th May, 2018 at 4:23pm

You must be signed in to comment on a bug report.

ExpressionEngine News

#eecms, #events, #releases