Author |
Topic |
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 12:35:54
|
Hi,
On the "Events Calendar Mod", it seems that Any "normal user" can Edit/Delete any other member's Event ( including Admin's events). Shouldn't this work the same way that normal Posts work, where every member can ONLY edit/delete their own posts. Can anyone help on this please ?
Thank you in advance Regards Alex
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 13 September 2002 : 13:09:41
|
Events calendar does lot of things which are not Normal. You need to modify the code to fix the behavior which is greater than or less than normal. |
CSS and HTML4.01 Compilant Snitz Forum . ForumSquare . Rakesh Jain
It is difficult to IMPROVE on Perfection, There is no harm in Keep Trying.
Prayer Of Forgiveness "I forgive all living beings. May all living beings forgive me! I cherish the friendliness towards all and harbour enmity towards none." -- Aavashyaka Sutra(Translated) |
|
|
alex042
Average Member
USA
631 Posts |
Posted - 13 September 2002 : 13:33:32
|
quote: On the "Events Calendar Mod", it seems that Any "normal user" can Edit/Delete any other member's Event ( including Admin's events). Shouldn't this work the same way that normal Posts work, where every member can ONLY edit/delete their own posts.
There should be a number setting at the very top of the code to change who can add/edit/delete events. This MOD was basically a stand-alone MOD that was attached to the forum, but doesn't use the same method to regulate how the event postings are controlled.
|
Edited by - alex042 on 13 September 2002 13:34:41 |
|
|
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 13:34:33
|
Thanks GauravBhabu for your reply,
Could you help me with this please ? if it not too much trouble. I wouldn't be able to change the code for this my self.
I just checked crash's site and I think they way he has it,is that only admin and Mods can Add Events and Members can only Add "private events" ( which they only see) and they can not edit/delete any event except their own. That's still better than what I have now.
Thank you Alex
|
|
|
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 13:36:05
|
Hi Alex,
Would that be at the events.asp ?
Thanks |
|
|
alex042
Average Member
USA
631 Posts |
Posted - 13 September 2002 : 13:36:52
|
At the top of events.asp, you should find:
' sets who is allowed to add events dim intAllowed intAllowed = 1 'Any members 'intAllowed = 3 'Only Moderators and Admin 'intAllowed = 4 'Admins Only
Just uncomment the appropriate level. 'Any members' is defaulted as shown here. Any members at that level has total control over all events.
|
Edited by - alex042 on 13 September 2002 13:37:58 |
|
|
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 13:45:54
|
Alex, if I uncomment the 'Only Moderators and Admin, what happens is that a "normal member" can not add an event at all. I would like if possible for the members, to be able to add events, but to not be able to edit/delete events that other member's have added.
Thank you again Alex |
Edited by - Alex123 on 13 September 2002 13:49:01 |
|
|
DoraMoon
Average Member
Taiwan
661 Posts |
Posted - 13 September 2002 : 13:48:46
|
hi~ Alex123,
i think usually we'll set events authority to Admin/Moderator Only...
and unless user checked the Private Event, or all events will be "public" by default. so if you allow general members also can add a event... yeah~ just as GB said, i think you'll need to change something to make it reasonable..
on my situation, i set general members only can post Private Event.. but i can't remember how i modified it before . anyway, it should be not too difficult.. .
at least, i think you can try this... about line.828 in events_function.asp <%'If (mlev >= intAllowed) and (lcase(lcase(rs(strDBNTSQLNAME))) = lcase(Request.Cookies(strUniqueID & "User")("Name"))) or mlev >=3 Then%> <%If mlev >= intAllowed or lcase(strDBNTUSerName) = lcase(rs(strDBNTSQLNAME)) Then%>
change it to.. <%'If (mlev >= intAllowed) and (lcase(lcase(rs(strDBNTSQLNAME))) = lcase(Request.Cookies(strUniqueID & "User")("Name"))) or mlev >=3 Then%> <%If mlev >= 3 or lcase(strDBNTUSerName) = lcase(rs(strDBNTSQLNAME)) Then%>
not sure it'll match your demand, but you can try it...
<edit>forgot to say that... above modification, i think it should be can restrict the delete/edit authority to Admin/Moderator or "original author" ONLY...</edit> |
Edited by - DoraMoon on 13 September 2002 13:58:03 |
|
|
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 13:57:35
|
Thank you DoraMoon
It worked perfectly. Thank you |
|
|
DoraMoon
Average Member
Taiwan
661 Posts |
Posted - 13 September 2002 : 14:00:30
|
you're welcome, i'm also glad it work !
but maybe you should test more... the Events Mod is a little complex for me. maybe i still loss something.. |
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 13 September 2002 : 14:36:18
|
Any member can delete any event if he/she knows the eventid. To prevent that everyone must modify the code in events.asp
Lines 186-192
select case sMode
case "delete"
if mlev >= intAllowed then
sSQL = "DELETE FROM " & strTablePrefix & "EVENTS WHERE Event_ID=" & Request.QueryString("Event_ID")
my_Conn.Execute ssql
strCMessage = "The selected event was deleted"
end if
Modify as below:
select case sMode
case "delete"
if mlev >= intAllowed then
sSQL = "SELECT ADDED_BY FROM " & strTablePrefix & "EVENTS WHERE EVENT_ID=" & Request.QueryString("Event_ID")
Set rsDelete = Server.CreateObject("ADODB.RECORDSET")
rsDelete.Open sSQL, my_Conn, adOpenForwardOnly, adLockReadOnly, adCmdTxt
if not(rsDelete.EOF or rsDelete.BOF) then
if (clng(rsDelete("ADDED_BY")) = MemberID) or (mlev = 4) then
sSQL = "DELETE FROM " & strTablePrefix & "EVENTS WHERE Event_ID=" & Request.QueryString("Event_ID")
my_Conn.Execute ssql
strCMessage = "The selected event was deleted"
else
strCMessage = "No authorization to delete the event"
end if
else
strCMessage = "The selected event was not found"
end if
rsDelete.Close
Set rsDelete = Nothing
end if
|
CSS and HTML4.01 Compilant Snitz Forum . ForumSquare . Rakesh Jain
It is difficult to IMPROVE on Perfection, There is no harm in Keep Trying.
Prayer Of Forgiveness "I forgive all living beings. May all living beings forgive me! I cherish the friendliness towards all and harbour enmity towards none." -- Aavashyaka Sutra(Translated) |
|
|
DoraMoon
Average Member
Taiwan
661 Posts |
Posted - 13 September 2002 : 15:23:32
|
yes, thank GB for replenishing again...
Alex123 ))) my modify just remove the delete/edit link from nomal users, just as GB said, if someone know the event_id, he also can delete the event! so make sure you also add GB's code too.
and maybe in "edit" section... (events.asp below GB's code..) the same doing as GB's suggestion, also can change it to..
case "edit"
if mlev >= intAllowed then
sSQL = "SELECT ADDED_BY FROM " & strTablePrefix & "EVENTS WHERE EVENT_ID=" & Request.QueryString("Event_ID")
Set rsEdit = Server.CreateObject("ADODB.RECORDSET")
rsEdit.Open sSQL, my_Conn, adOpenForwardOnly, adLockReadOnly, adCmdTxt
if not(rsEdit.EOF or rsEdit.BOF) then
if (clng(rsEdit("ADDED_BY")) = MemberID) or (mlev = 4) then
sMode = "edit"
strCMessage = "Event Edit Successful"
else
strCMessage = "No authorization to edit the event"
end if
else
strCMessage = "The selected event was not found"
end if
rsEdit.Close
Set rsEdit = Nothing
end if
|
~......~.~~ |
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 13 September 2002 : 17:06:44
|
DoraMoon that won't work for edit. Here is what is needed to be done to prevent unauthorized delete/edit
File: events.asp
Find the following code between lines 183-202
'set the mode
dim sMode, berror
sMode = Request.QueryString("mode")
select case sMode
case "delete"
if mlev >= intAllowed then
sSQL = "DELETE FROM " & strTablePrefix & "EVENTS WHERE Event_ID=" & Request.QueryString("Event_ID")
my_Conn.Execute ssql
strCMessage = "The selected event was deleted"
end if
case "edit"
if mlev >= intAllowed then
sMode = "edit"
strCMessage = "Event Edit Successful"
end if
case "add"
if mlev >= intAllowed then
smode = "add"
end if
end select
Replace the above statements as below
'**set the mode
dim sMode, bError, strCMessage
sMode = Request.QueryString("mode")
select case sMode
case "delete"
if mlev >= intAllowed then
if CheckAuthorization() then
sSQL = "DELETE FROM " & strTablePrefix & "EVENTS WHERE Event_ID=" & Request.QueryString("Event_ID")
my_Conn.Execute ssql
strCMessage = "The selected event was deleted"
end if
end if
case "edit"
sMode = ""
if mlev >= intAllowed then
if CheckAuthorization() then
sMode = "edit"
strCMessage = "Event Edit Successful"
end if
end if
case "add"
if mlev < intAllowed then
sMode = ""
end if
end select
File events_functions.asp
Add the following function to this file. Make sure it is before the ASP closing tag (%>) at the bottom of file.
function CheckAuthorization()
dim strSql, rsAuthorization
if mLev = 4 then CheckAuthorization = true : exit function
CheckAuthorization = false
strSql = "SELECT ADDED_BY FROM " & strTablePrefix & "EVENTS E WHERE E.EVENT_ID=" & Request.QueryString("Event_ID")
Set rsAuthorization = Server.CreateObject("ADODB.RECORDSET")
rsAuthorization.Open strSql, my_Conn, adOpenForwardOnly, adLockReadOnly, adCmdTxt
if not (rsAuthorization.BOF or rsAuthorization.EOF) then
if (clng(rsAuthorization("ADDED_BY")) = MemberID) then
CheckAuthorization = true
else
strCMessage = "No authorization to modify/delete the event"
end if
else
strCMessage = "The selected event was not found"
end if
rsAuthorization.Close
Set rsAuthorization = nothing
end function
There are several other places in the file where code should be corrected. But anyway, above changes will prevent unauthorized edit/delete. |
CSS and HTML4.01 Compilant Snitz Forum . ForumSquare . Rakesh Jain
It is difficult to IMPROVE on Perfection, There is no harm in Keep Trying.
Prayer Of Forgiveness "I forgive all living beings. May all living beings forgive me! I cherish the friendliness towards all and harbour enmity towards none." -- Aavashyaka Sutra(Translated) |
|
|
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 20:09:35
|
Thank you guys both VERY much
I am going to dare to ask for one last thing and I am totally going to understand, in case you decide to ignore me Could, the "Events Calendar", take it's "Time" from the: "Server Date/Time Configuration" through the forum. I have that one set, to add 7hours to the server Time.
Thanks again for all your help. It’s greatly appreciated Alex
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 13 September 2002 : 20:16:21
|
You can use strForumTimeAdjust variable which stores the server date time. |
CSS and HTML4.01 Compilant Snitz Forum . ForumSquare . Rakesh Jain
It is difficult to IMPROVE on Perfection, There is no harm in Keep Trying.
Prayer Of Forgiveness "I forgive all living beings. May all living beings forgive me! I cherish the friendliness towards all and harbour enmity towards none." -- Aavashyaka Sutra(Translated) |
|
|
Alex123
Junior Member
Greece
237 Posts |
Posted - 13 September 2002 : 20:24:50
|
Thank you GauravBhabu,
Could you help me a bit more ? Where should I add this variable, on the Events mod ?
Thanks again Alex |
|
|
Topic |
|