The Custom Field group TEST and the Custom Field TESTFIELD should NOT be shown on the user registration form because the user trying to register does NOT have rights to create values for this field (permission for Edit Custom Field Value of the TEST field group for public = Not Allowed (inherited))
The Custom Field group and Custom Field ARE shown (but read only), I get reports from users trying to register who do not understand what they should do with these fields as they do not know why these fields are relevant for them (they are not) and they mis the [register] button that is at the bottom of the very long registration screen).
Permission for Public > Edit Custom Field Value = Not Allowed should NOT show these fields in the edit / registration form. They cannot EDIT custom field value (because there is no field value) so they also CANNOT create custom field value. So why confuse them and show the fields that are NOT relevant for them?
The viewing permission 'Access = Public' is NOT applicable for these forms as these forms are NOT for viewing but for adding / editing values. When there is no value there is nothing to view.
Joomla 3.8.3
Setting the access for the Field group to e.g. author (so only users who are authors have these fields in their profile (to edit) does not work: setting the access to author also restricts the displaying of the contents of the field to logged in users with author rights!
A use case: an author can have an avatar (field media) in his profile that will be displayed in his articles.
When setting the access to public, the field avatar is shown on every user's profile form AND registration for for new users. When setting the Access to author, it shows correct on the user profile and registration form but the avatar will NOT be displayed in the articles when the user who is viewing the article is NOT logged in and does NOT have author rights.
This has also been briefly discussed here: https://issues.joomla.org/tracker/joomla-cms/16378
I think you have a fundamental confusion about viewlevels and actions.
The viewlevel defines who can see the content of the field. From what I understood you want it (the picture) to be visible to anyone. So you set the access level to "Public".
The actions are set in the "Permissions" tab, and define who can edit the field. As @laoneo said you need to adjust the "edit.value" action here so only the author or editor user group can edit the value of that field. All other users will still see the field in the form, but will be unable to edit anything in it.I'm closing this issue as it is expected behavior.
The viewlevel defines who can see the CONTENT of the field: this is correct
The actions set in the permissions tab define who can edit (edit custom field value) the field: this is also correct: only author can edit the contents (and therefor the field is readonly for people who do not have these rights)
What is missing is the Create Custom Field Value permission: when this permission is set to Not Allowed, then this field / fieldgroup should NOT be displayed at all for a user without these rights.
Title |
|
Hi Valuable, but then it will not be shown to guest / visitors of the website when the page tried to show the value (e.g. avatar, about text, follow me links, etc) because the visitor is not 'registered'.
If you want to use the custom user Fields to capture user info based on group membership this is unworkable as every user will see all Fields in their profile of which many are not relevant to them: which leads to confusion and support requests.
Damn autocorrect :( all though bakual = also valuable :)))
This is consistent with other places in Joomla.
This then also limits the 'other places' in Joomla.
when you have custom article fields that you only want e.g. publishers to edit and create, they will be shown as read-only to an author (who is wondering why he is seeing this information in the first place).
For me this could be improved either by:
I think #2 is only an option when done via a per site template override as changing an tmpl form has possible high impact. This also changes the current behavior (now you see the read-only values, after this change you don't)
For me #1 would be the ultimate solution: this can be added both for Users as for Articles and will not change the current behavior.
In case the Access for a Custom Field is set to public, and
a. the Create Custom Field value = No + Edit Custom Field value = No
b. the Create Custom Field value = Yes + Edit Custom Field value = No
c. the Create Custom Field value = Yes + Edit Custom Field value = Yes
What do you think of this proposed solution?
Who should have a look at this? (tag your friends they would say on FaceBook :))
Are there other scenarios possible to address this?
I can create some time to create a PR to address this
What is the usecase where you have a field in the edit profile form which shouldn't be editable by the user but visible to public in the profile view?
I could see to make a difference between registration and profile form, but not sure if that is possible to do. It may be something that is better done using an override.
As for a "create" permission, that already exists and referes to creating a custom field. Imho, it becomes very confusing if you start adding more permissions (eg "edit value in registration").
Status | New | ⇒ | Discussion |
Hi, here is a (simple) use case:
I have a custom fields plugin where authors can input links to their social profiles. These are then rendered into follow me buttons.
This field should only be available to authors.
So setting the Access to 'Author' group.
Now when an author logs in, the field is displayed in his profile and he can enter the links.
When a registered user logs in the field is NOT visible in his profile page (because this person is not member of the author group): so far so good.
I use the following code to display the rendered filed value for the field for an author to show in his article:
$user = JFactory::getUser($articleAuthorId);
$jcFields = FieldsHelper::getFields('com_users.user', $user, true);
The problem now is that when a visitor visits the article, the $jcFields = empty
When I log in with a user with sufficient rights (author), the the $jcFields has all the (rendered) values I can use. The access check is done for the visitor and not for th user passed in the $user object.
I can 'fix' this in two ways:
$fieldModel = JModelLegacy::getInstance('Field', 'FieldsModel', array('ignore_request' => true));
$value = $fieldModel->getFieldValue($jcFieldId, $authorId);
regardless of the access setting, this always returns the value, but the value is as entered in the field, NOT rendered (so it is the links as entered, not the icons). There is NO authorization check done here to validate if the visitor has sufficient access rights to the data!
So I need to (figure out how to) render it myself. (This could also solve this issue)
OR, and this is where the permission 'Create Custom Field Value' comes into play, set access to Public (public should be able to see the contents of the field), but only users with permissions to 'Create Custom Field Value' should be able to see them / create them for their own account.
@Bakual, as you said, it is consistent with other places like articles, only here (articles) you can set the view access to public as registered users cannot see the Custom articles field in their create / edit form (you need to have author rights to see the create article form). But the issue is the same: maybe you want authors of group x to see some fields that 'regular' users don't see? Now they see them (as read only).
But still, if we can implement this, it will add to the possibilities for custom fields to extend you own components functionality. Before 3.7 I would have created a component (with all overhead involved) to have a user add the follow me buttons, avatar, about text, etc. Now I use the Custom User fields for that, but as discussed there is a limitation in using it because of the 'missing' feature to show or not show in create / edit forms.
It gets messy very fast as soon as two groups can edit the same item and they don't see the same fields.
It can mean those with lower permissions delete the content from the fields that they don't see.
It can mean those with lower permissions delete the content from the fields that they don't see.
It can mean or it means?
Not looked into the 'save' code, but this definitely a test case.
It can mean or it means?
I haven't tested but afaik we had that issue in the past. It's something to keep in mind.
Okay, have been doing some actual coding today. I have it working for com_users (without touching com_users).
I have added a 'Display Custom Field Value' with which you can set the permission to show or not show the fields. (I didn't call it 'Create', because that didn't do justice to this feature)
I have tested this for com_users, will be doing some testing for com_contacts and com_content. These use the same code base so It should work out okay.
When I have tested, I will create a PR so you guys can have a look :)
I haven't tested but afaik we had that issue in the past. It's something to keep in mind.
The change is in public static function prepareForm($context, JForm $form, $data), when no display rights it will NOT add the fields to the form. That would also mean that fields cannot corrupt / get overwritten, etc.
Status | Discussion | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-01-29 09:24:22 |
Closed_By | ⇒ | franz-wohlkoenig |
Closed_Date | 2018-01-29 09:24:22 | ⇒ | 2018-01-29 09:24:23 |
Closed_By | franz-wohlkoenig | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/19468
okay, PR is done: works (for me) like a charm and extends the Custom Fields with the functionality to better use it in real-life use cases :)
https://issues.joomla.org/tracker/joomla-cms/19473
This is consistent with other places in Joomla. If you can't edit a property (edit permission) but are allowed to see it (viewlevel), then it is shown as readonly.
If you don't want to show the field, just adjust the viewlevel to registered (just not public) and it will not be shown anymore in the registration form.