[pLog-svn] r6569 - plog/branches/lifetype-1.2/class/action/admin
Mark Wu
markplace at gmail.com
Thu Jun 19 05:02:25 EDT 2008
According to our current permission mode, we can not control this kind of
case. It is too details.
Only one way to avoid this to happened is to implement token-like mechanism
inside saveDraft. The saveDraft only valid with this specific token.
But, user only add blog user that he trust, so how can a user update others
articles if he is not belong to others blog user list??
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Wednesday, June 18, 2008 10:00 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] r6569 -
> plog/branches/lifetype-1.2/class/action/admin
>
> Right, I know we need to let him update the post he
> just added, but what about other posts - I expect he can edit
> other posts, and the permission system would normally prevent
> him from doing that, but I think he can bypass it by using
> the draft update. Is that incorrect?
>
> On Wed, 18 Jun 2008, mark at devel.lifetype.net wrote:
>
> > Author: mark
> > Date: 2008-06-18 03:45:07 -0400 (Wed, 18 Jun 2008) New
> Revision: 6569
> >
> > Modified:
> >
> >
> plog/branches/lifetype-1.2/class/action/admin/adminsavedraftarticleaja
> > xaction.class.php
> > Log:
> > Yes, we should let user update his draft post, or this
> function is useless.
> >
> > Modified:
> >
> plog/branches/lifetype-1.2/class/action/admin/adminsavedraftarticleaja
> > xaction.class.php
> > ===================================================================
> > ---
> plog/branches/lifetype-1.2/class/action/admin/adminsavedraftar
> ticleajaxaction.class.php 2008-06-18 07:43:49 UTC (rev 6568)
> > +++
> plog/branches/lifetype-1.2/class/action/admin/adminsavedraftar
> ticleajaxaction.class.php 2008-06-18 07:45:07 UTC (rev 6569)
> > @@ -53,8 +53,6 @@
> > // in case the post is already in the db
> > if( $this->_postId != "" ) {
> > $article->setId( $this->_postId );
> > - // TODO: can a user without the
> update_post permission
> > - // update using the savedraft method?
> > $postSavedOk = $articles->updateArticle( $article );
> >
> > if( $postSavedOk )
> > @@ -86,4 +84,4 @@
> > return true;
> > }
> > }
> > -?>
> > \ No newline at end of file
> > +?>
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Common sense is the collection of prejudices acquired by age 18.
> -- Albert Einstein
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list