**id_only** allows to modify others id via url :(

[mcbcrud]

First of all congratulations for this great project, it has been very useful for me thanks!! ... the problem occurs when entering the table crud_users with a user with permission ID_ONLY, when entering edit, it is possible to modify the url with the id of another user and change the password ....

---

---

any suggestions????
greetings from Chile!!!

[portapipe]

Hi and thanks :)

You can use the getState() event to catch where the user is into, then you can use the
$crud = $this->login_model->check($crud,"author");
in the crud part to avoid user to see other user's profile.

With $crud->getState()=="edit" you can make a database query to see if the permission is "IDOnly" for that page like
extractPermission("ID",false,"crud_users")
or with the more simple
IDOnly("crud_users")
and then you can redirect the user if the getStateInfo()->primary_key is different from the logged user's id.

I think is simple but a little tricky, but you can take a look at the wiki HERE and find YOUR better way to create it. I've give you more than 1 way to make it so I'm sure you'll find how to make it ;)

BTW! I suggest you to take the crud_users page just for you and create a new page for them, just to avoid to cut you off from the user management.

[mcbcrud]

the only way you can do it:

if($crud->getState()=="edit"){
$segmentsCount = $this->uri->total_segments();
$itemID = intval($this->uri->segment($segmentsCount));
if($itemID!=$this->idUsuario) redirect("/login/logout");
}

getStateInfo()->primary_key //Not work!!!

regards!!!

[portapipe]

Well make a var_dump($crud->getStateInfo()); and you'll see.
Here the docs

[mcbcrud]

Yes, today it worked for me, yesterday I did not x)
thanks!!!