Only edit specific submissions

walkingby · Feb 24th, 2010, 9:12 PM

I have a specific form which many clients will log into...to view and add submissions. The problem is they are viewing submissions that other clients have added as well as ones they will add. Is there a way to remove the ability to edit all submissions with the exception of ones the current logged in user has added? Complex to explain...hope my thoughts come across clearly!

Thanks!
Brian

***Ben*** · Feb 24th, 2010, 10:55 PM

Hey Brian,

This was a tough one, I almost gave up. :-)

But here's how you could do it - it's actually not too tricky, but the explanation will take a little while. The only caveat is that you'll need to update one of the functions in the Form Tools core. I'd planned on including the updated function in 2.0.1 beta, but that'll be some time before it's ready - so consider this a pre-release. Smile

Here's how to do it.

(1) Edit your /global/code/submissions.php file and replace the ft_create_blank_submission function with this new code:

PHP Code:
/**
 * Creates a new blank submission in the database and returns the unique submission ID. If the
 * operation fails for whatever reason (e.g. the form doesn't exist), it just returns the empty
 * string.
 *
 * @param integer $form_id
 * @param boolean $is_finalized whether the submission is finalized or not.
 */
function ft_create_blank_submission($form_id, $is_finalized = false)
{
  global $g_table_prefix;

  if (!ft_check_form_exists($form_id))
    return "";

  $now = ft_get_current_datetime();
  $ip  = $_SERVER["REMOTE_ADDR"];
    
  mysql_query("
    INSERT INTO {$g_table_prefix}form_{$form_id} (submission_date, last_modified_date, ip_address)
    VALUES ('$now', '$now', '$ip')
      ");

  $new_submission_id = mysql_insert_id();

  extract(ft_process_hooks("end", compact("form_id", "now", "ip", "new_submission_id"), array()), EXTR_OVERWRITE);

  return $new_submission_id;
} 

This updated function contains a few updates to pass more information to the hook. I'll explain why that's necessary later.

(2) Add a new field to your form through the Edit Form -> Database tab. Give it these values:

Pass On: (unchecked)
Form Field Name: created_by
Display Text: Created By (Client Account)
Field Size: 20 chars
Data Type: String
Database column: created_by (to edit this field, uncheck the "Auto-generate database column names" checkbox).

(3) Download and install the Hooks Manager module.

After installing it, create a new rule with the following settings:

Status: enabled
Rule Name: Store Who Created Submission
Priority: 50
Hook Type: Code Hook
Code Hook: ft_create_blank_submission, end
PHP Code:

PHP Code:
if ($form_id == X)
{
  $account_id    = $_SESSION["ft"]["account"]["account_id"];
  $submission_id = $new_submission_id;

  $info = array(
    "created_by" => $account_id
  );
  ft_update_submission_info($form_id, $submission_id, $info);
} 

Note: you'll need to replace the "X" on the first line of the PHP code to your form ID.

Alright, quick explanation break. At this point, what we've done is create a new field in the database that will store WHO created the submissions. The function that handles the new submission creation is the ft_create_blank_submission() which you just updated. The rule you created through the Hooks Manager runs whenever that function is called, and what it does is store the unique account ID of the client account (or admin account) that clicked the "Add" button.

Finally, the only thing remaining is to limit the submissions that appear for each client account. For this part we can just create a Client Map filter.

1. Edit your form and go to the Views tab, there go to the Filters sub-tab.
2. Add a new Client Map filter with the following settings:

Field: ID
Operator: Equals
Client Field: ID (in the "Core Fields" group in the dropdown).

And we're done. Now, when clients log in they will ONLY see submissions for that form that they themselves have created.

Of course, you'll probably want to update the existing submissions so that they can only been seen by the appropriate client. To do this, I'd suggest just adding that new "created_by" field a View that's only used by you, the administrator. You can then go through each submission and enter in the appropriate client ID for each submission.

Anyway, hope the above doesn't sound too intimidating. It took a little longer to explain than I thought, but the idea is sound: it should work the way you want. :-)

All the best, Brian.

- Ben

walkingby · Feb 25th, 2010, 6:18 AM

Outstanding Ben! Thank you much. I'll give this a shot today!

(Feb 24th, 2010, 10:55 PM)Ben Wrote: Hey Brian,

This was a tough one, I almost gave up. :-)

But here's how you could do it - it's actually not too tricky, but the explanation will take a little while. The only caveat is that you'll need to update one of the functions in the Form Tools core. I'd planned on including the updated function in 2.0.1 beta, but that'll be some time before it's ready - so consider this a pre-release.

Here's how to do it.

(1) Edit your /global/code/submissions.php file and replace the ft_create_blank_submission function with this new code:

PHP Code:
/** * Creates a new blank submission in the database and returns the unique submission ID. If the * operation fails for whatever reason (e.g. the form doesn't exist), it just returns the empty * string. * * @param integer $form_id * @param boolean $is_finalized whether the submission is finalized or not. */ function ft_create_blank_submission($form_id, $is_finalized = false) { global $g_table_prefix; if (!ft_check_form_exists($form_id)) return ""; $now = ft_get_current_datetime(); $ip = $_SERVER["REMOTE_ADDR"]; mysql_query(" INSERT INTO {$g_table_prefix}form_{$form_id} (submission_date, last_modified_date, ip_address) VALUES ('$now', '$now', '$ip') "); $new_submission_id = mysql_insert_id(); extract(ft_process_hooks("end", compact("form_id", "now", "ip", "new_submission_id"), array()), EXTR_OVERWRITE); return $new_submission_id; }

This updated function contains a few updates to pass more information to the hook. I'll explain why that's necessary later.

(2) Add a new field to your form through the Edit Form -> Database tab. Give it these values:

Pass On: (unchecked)
Form Field Name: created_by
Display Text: Created By (Client Account)
Field Size: 20 chars
Data Type: String
Database column: created_by (to edit this field, uncheck the "Auto-generate database column names" checkbox).

(3) Download and install the Hooks Manager module.

After installing it, create a new rule with the following settings:

Status: enabled
Rule Name: Store Who Created Submission
Priority: 50
Hook Type: Code Hook
Code Hook: ft_create_blank_submission, end
PHP Code:

PHP Code:
if ($form_id == X) { $account_id = $_SESSION["ft"]["account"]["account_id"]; $submission_id = $new_submission_id; $info = array( "created_by" => $account_id ); ft_update_submission_info($form_id, $submission_id, $info); }

Note: you'll need to replace the "X" on the first line of the PHP code to your form ID.

Alright, quick explanation break. At this point, what we've done is create a new field in the database that will store WHO created the submissions. The function that handles the new submission creation is the ft_create_blank_submission() which you just updated. The rule you created through the Hooks Manager runs whenever that function is called, and what it does is store the unique account ID of the client account (or admin account) that clicked the "Add" button.

Finally, the only thing remaining is to limit the submissions that appear for each client account. For this part we can just create a Client Map filter.

1. Edit your form and go to the Views tab, there go to the Filters sub-tab.
2. Add a new Client Map filter with the following settings:

Field: ID
Operator: Equals
Client Field: ID (in the "Core Fields" group in the dropdown).

And we're done. Now, when clients log in they will ONLY see submissions for that form that they themselves have created.

Of course, you'll probably want to update the existing submissions so that they can only been seen by the appropriate client. To do this, I'd suggest just adding that new "created_by" field a View that's only used by you, the administrator. You can then go through each submission and enter in the appropriate client ID for each submission.

Anyway, hope the above doesn't sound too intimidating. It took a little longer to explain than I thought, but the idea is sound: it should work the way you want. :-)

All the best, Brian.

- Ben

walkingby · Mar 7th, 2010, 10:07 AM

This is fantastic, works pretty close to what I was looking for. How complex would it be to take this one step further...

Within each form, directly within Form Tools, you have the ability to add a new submission. You also have the ability to edit each existing submission. This is perfect, but what if I wanted to apply the same concept you described below...to this aspect of Form Tools. For example, the "edit" button to the right of each submission would only display if the user who created that submission was currently logged in. So anything they did not create themselves, would not display the edit button. ...Then giving the ability to display all submissions, but only being able to edit the ones they have created themselves.

Thanks!

Brian

***Ben*** · Mar 7th, 2010, 7:42 PM

Haha you win, I can't do this one. :-) Sorry!

The problem is that the content of the submissions page is largely untouchable; what's really needed here it tweak the contents to omit the EDIT link in certain cases. But also, there'd need to be some backend permissions code running on the Edit Submission page to ensure that someone didn't get sneaky and tried hacking the URL by passing in IDs that they aren't permitted to edit. This last case is already handled for the "out the box" permissions, but it would be very finicky adding it to the logic that you're trying to add.

Sorry about that, Brian!

- Ben

walkingby · Mar 8th, 2010, 5:50 AM

Oh...not a problem at all! I'll figure something "creative" out! Thanks for taking the time with everything else! Smile

(Mar 7th, 2010, 7:42 PM)Ben Wrote: Haha you win, I can't do this one. :-) Sorry!

The problem is that the content of the submissions page is largely untouchable; what's really needed here it tweak the contents to omit the EDIT link in certain cases. But also, there'd need to be some backend permissions code running on the Edit Submission page to ensure that someone didn't get sneaky and tried hacking the URL by passing in IDs that they aren't permitted to edit. This last case is already handled for the "out the box" permissions, but it would be very finicky adding it to the logic that you're trying to add.

Sorry about that, Brian!

- Ben

FORUMS