How to allow only the poster to modify photos

Topics: Help
Jul 8, 2007 at 3:28 PM
Hello.

With Zacks help, I modified CSK2.0 to only allow members in "UserEdits" role(basically myself) to "Manage Users", "Manage Forums" and "Send Email". Administrators cannot do that kind of stuff now. I assigned all new valid users to the Administrators role. So they can use all of the adds, edits, deletes of photos, events and news, but Administrators cannot "Manage Users", "Manage Forums" and "Send Email".

Is there an easy way to make it so that only the person who added a photo album and photos can edit and delete the photos or album they created? The way it is now, any Administrator can edit or delete any body elses photos/albums.

Any help would be gratefully appreciated.

Thanks,
Tony
Jul 9, 2007 at 12:39 AM
It's fairly easy. You just need to compare the logged in userid with the userid associated with the photo on page load. Then you show or hide your edit button based on the outcome.

I did it for another purpose. I just shut down, but I'll post some pseudo code tomorrow if you want.

Why don't you want the admin to have "god" powers? I mean, what if one of your users posts a picture of his butt or something? Do you really only want the poster to have the authority to remove his own photo?
Jul 9, 2007 at 1:37 AM

Tina wrote:
It's fairly easy. You just need to compare the logged in userid with the userid associated with the photo on page load. Then you show or hide your edit button based on the outcome.

I did it for another purpose. I just shut down, but I'll post some pseudo code tomorrow if you want.

Why don't you want the admin to have "god" powers? I mean, what if one of your users posts a picture of his butt or something? Do you really only want the poster to have the authority to remove his own photo?


Hello Tina.

Sounds pretty easy. I'll start looking at that method.

Well i guess if somebody posted a picture of my butt, i'd want the ability to delete it too. Are you serious about this? I never thought of it that way and now i'm not sure if i will really put it into effect even if i do get it to work.

What was the idea in desinging the CSK2.0 for the Administrator role? Should all the approved users get it or are there cases when an approved user gets either the Editors or Bloggers or both? I never did try to figure that out.

Thanks,
Tony
Jul 9, 2007 at 2:20 AM
Edited Jul 9, 2007 at 2:45 AM
The butt part was a joke, but yes, I was serious about retaining the ability to remove inappropriate material. People do stupid, unexpected stuff all the time.

I don't know what the original intent was, but I'm using the roles thusly:

1. The default for a new member signing up is that he is assigned no role. I didn't change that - it's just how it works.
2. If I approve someone to wtite blog content, I can give him the blog role.
3, If, for example, I hired someone to write marketing copy, I would grant him/her the Editors role. It really just depends on your usage needs. If it's a Scout site, maybe all leaders get to be bloggers.
4. Only I get Admin role. I will also retain all the other roles I've created. I can do anything, because it will be my site. I want to have ultimate veto power. No way would I give that away.

But, I didn't realize anyone could modify anyone else's pictures. I'll definitely only allow the owner of the picture or the Admin to manage those. I'll run some tests to see how it behaves.
Jul 9, 2007 at 3:47 AM

Tina wrote:
The butt part was a joke, but yes, I was serious about retaining the ability to remove inappropriate material. People do stupid, unexpected stuff all the time.

I don't know what the original intent was, but I'm using the roles thusly:

1. The default for a new member signing up is that he is assigned no role. I didn't change that - it's just how it works.
2. If I approve someone to wtite blog content, I can give him the blog role.
3, If, for example, I hired someone to write marketing copy, I would grant him/her the Editors role. It really just depends on your usage needs. If it's a Scout site, maybe all leaders get to be bloggers.
4. Only I get Admin role. I will also retain all the other roles I've created. I can do anything, because it will be my site. I want to have ultimate veto power. No way would I give that away.

But, I didn't realize anyone could modify anyone else's pictures. I'll definitely only allow the owner of the picture or the Admin to manage those. I'll run some tests to see how it behaves.


If i understand your last sentence correctly, you will try to get it so that only the originator of a photo can edit/delete it. I think that kind of change could be applied to events, news items and forum replie also.

I'm going to try it also.

Thanks,
Tony
Jul 9, 2007 at 3:51 AM
Absolutely. I used that logic for some new pages I wrote, which is why I'll have to give you pseudocode and not real code.
Jul 10, 2007 at 12:09 AM
I think if you set your album to private, other users will not be able to modify it or delete it. If you simply want to use those photos in news articles, then that will work. If you want to show the album, but not allow the other members to edit it, then you have some work to do. For my purposes, I think I can just set it to private so I may not bother. We'll see...

Here's the code I wrote for determining whether someone owns a record and whether to allow them to edit it.

In the page, I use a form and I call then on databound. I used the DAL and BLL, so this may not be what you're looking for. I think it's a little heavyduty for a simple webapp, but I was following the tutorials on asp.net from fourguysfromrolla so it is what it is.

Protected Sub Rec_DataBound(ByVal sender As Object, ByVal e As System.EventArgs) _
Handles FormView1.DataBound
If (FormView1.CurrentMode = FormViewMode.ReadOnly) Then ' make sure the view template is loaded

Dim foundControl As Control = FormView1.FindControl("btnEdit")

If Page.User.Identity.IsAuthenticated = True Then
Dim mem As MembershipUser = Membership.GetUser()
Dim gui As New Guid(mem.ProviderUserKey.ToString())

Dim myrec As Rec.RecRow = _
CType(CType(FormView1.DataItem, System.Data.DataRowView).Row, _
Recipe.RecipeRow)

If rec.memberid = gui Then
foundControl.Visible = True
Else : foundControl.Visible = False
End If

Else : foundControl.Visible = False
End If
End If
End Sub
Jul 11, 2007 at 12:21 AM

Tina wrote:
I think if you set your album to private, other users will not be able to modify it or delete it. If you simply want to use those photos in news articles, then that will work. If you want to show the album, but not allow the other members to edit it, then you have some work to do. For my purposes, I think I can just set it to private so I may not bother. We'll see...

Here's the code I wrote for determining whether someone owns a record and whether to allow them to edit it.

In the page, I use a form and I call then on databound. I used the DAL and BLL, so this may not be what you're looking for. I think it's a little heavyduty for a simple webapp, but I was following the tutorials on asp.net from fourguysfromrolla so it is what it is.

Protected Sub Rec_DataBound(ByVal sender As Object, ByVal e As System.EventArgs) _
Handles FormView1.DataBound
If (FormView1.CurrentMode = FormViewMode.ReadOnly) Then ' make sure the view template is loaded

Dim foundControl As Control = FormView1.FindControl("btnEdit")

If Page.User.Identity.IsAuthenticated = True Then
Dim mem As MembershipUser = Membership.GetUser()
Dim gui As New Guid(mem.ProviderUserKey.ToString())

Dim myrec As Rec.RecRow = _
CType(CType(FormView1.DataItem, System.Data.DataRowView).Row, _
Recipe.RecipeRow)

If rec.memberid = gui Then
foundControl.Visible = True
Else : foundControl.Visible = False
End If

Else : foundControl.Visible = False
End If
End If
End Sub



Thanks Tina.

What do you mean by "pseudocode"?

I'm working on something else right now, so i probably won't get to this right away.

Tony