Can Edit Row.. strange behaviour bug in version 3.7 ?

[farinacci]

Hello i have implement whit success this plugin.. can see editable raw, for example only if the value is = to zero, but when enter in modify after save i receive this message :

"Sorry, but you are not authorized to edit this record"
why ?

in the previous version the plugin work fine !

It's a bug ?

thank you so much

 

[cheesegrits]

Well, actually, I suspect it's a bug that got fixed.

I presume that your use case is you are editing the value you use to test in your canEditRow plugin, and you are setting it to a value that would prevent the user from editing, then saving the form.

The issue is that prior to 3.6, we didn't check canEdit() when a form was being submitted. We only checked it when loading a form. This is a security issue, because someone could spoof a form submission - for instance, load a form they have access to, then modify the posted by data by hand in their browser to point to a row they don't have access to, and submit.

So as of 3.6, we now do a canEdit() test on submission. Which is what is catching you out, because on submission, you've set that value so the user no longer has access.

If you can confirm that this is the scenario, we'll figure out a way round it.

-- hugh

 

[farinacci]

Hi, Yes confirm.
My previous version is fabrik 3.4.7
For me it would be very important that there was continuity of operation in new version
thank

 

[farinacci]

Hello cheesegrits,

any news ? We have big problems if you do not restore the functionality..

Thank

 

[troester]

A workaround (which I think would also prevent from spoofing):

Create a new element which is used as canEditRow condition.
In the form add a php plugin on "End of Form Submission (OnAfterProcess)", set this element according to the user's input on your original element.

$t = '{your-new-element}';
$IDinput = '{rowid}';
$myDb = JFactory::getDbo();
$myQuery = $myDb->getQuery(true);

$myQuery
      -> update('your-table AS c')
      -> set('c.duplicatename = '.$myDb->quote($t))
      -> where('c.id = '. (int) $IDinput);

$myDb->setQuery($myQuery);

// Run the query
$found = (int) $myDb->execute();

 

[farinacci]

Check if I understand it well:

> set('c.duplicatename = ..... , is my old item ?

 

[troester]

yes, the one you use in the canEditRow plugin (sorry, the name was from my test example)

Edit:
I think I've mixed up my description and my elements:
So
$t = old element (the one the user is editing)
c.duplicatename = new element/column (the one used in canEditRow)

 

[farinacci]

this is my code in plugin "End of Form Submission (OnAfterProcess):

$t = '{forecast___iseditabile}'; this is my new item
$IDinput = '{rowid}'; this is the same ? is correct '{rowid}'
$myDb = JFactory::getDbo();
$myQuery = $myDb->getQuery(true);

$myQuery
-> update('forecast AS c')
-> set('c.stato = '.$myDb->quote($t)) c.stato is my old but valid item
-> where('c.idForecast = '. (int) $IDinput);

$myDb->setQuery($myQuery);

// Run the query
$found = (int) $myDb->execute();


and in the form i check if the new iseditabile..

but not work... "Sorry, but you are not authorized to edit this record"

 

[farinacci]

No line is editable because the new item is null.. correct ?

 

[troester]

See my edit in post#7, I'd mixed up description and elements.

You must copy the value from the element the user is editing to the one used in canEditRow

-> set('c.element-used-in-canEditRow = '.$myDb->quote($element-set-by-user))

And yes, to keep your old canEditConditions it's better to have the "canEdit" element the old one and use the new one for the user editing.

 

[farinacci]

ok, but the copy not work...

$t = '{forecast___Stato}'; my old column
$IDinput = '{rowid}';
$myDb = JFactory::getDbo();
$myQuery = $myDb->getQuery(true);

$myQuery
-> update('forecast AS c') my table
-> set('c.iseditabile = '.$myDb->quote($t)) my new column
-> where('c.idForecast = '. (int) $IDinput); my table ID

$myDb->setQuery($myQuery);

// Run the query
$found = (int) $myDb->execute();

 

[farinacci]

and the plugin caneditrow is onthe new column iseditabile.
but not work, No line is editable because the new item is null.

 

[troester]

And yes, to keep your old canEditConditions it's better to have the "canEdit" element the old one and use the new one for the user editing.

It's working with the setup the correct way around).

 

[farinacci]

YES BUT..
The only way to make it work is to update the entire table, enter the value of the user-editable field in the new field
CORRECT ?

 

[troester]

You can update the entire new (user edit) element with the values of the old (canEditRow) element with e.g. phpMyAdmin.

Or you can add a validation to force the user to set this element on edit if it's not set
or you can add a "onLoad" php plugin to set it if it's null (a bit overkill in this case)
or...

Backup before doing anything directly in phpMyAdmin.

 

[farinacci]

Backup before doing anything directly in phpMyAdmin.

yes...

 

[farinacci]

Ok works, Thank.
But I think that this workaround is to be included in the documentation...

 

[cheesegrits]

Feel free to add it to the wiki (that's what wikis are for).

I'm working on an option for the plugin, to set whether it runs on submission or not, but I can't give you can ETA.