Home›Forums›General Support – NOT for Volunteer and PTA plugins!›Before purchasing PTA sus "groups"
- This topic has 5 replies, 2 voices, and was last updated 8 years, 5 months ago by Stephen Sherrard.
-
AuthorPosts
-
-
May 28, 2016 at 2:13 PM #10438Mark LeighParticipant
Looking at purchasing PTA Volunteer Sign Up Sheet Groups; but had a query first.
Lets say I made a group of sign up sheets, then added them to a page with a pta-sus group shortcode
Now lets say I use the wordpress groups plugin to restrict access to that page to a certain group of users.If I still want to use the shortcode [pta_sign_up_sheet] an another page to give users somewhere to see ALL of their upcoming shifts; can’t users that are unauthorized to access the page now see a link (and click it and use it) to the sign up sheets that are in that group, as the [pta_sign_up_sheet] shortcode lists ALL sheets?
And furthermore, even if that shortcode was never used wouldn’t an un-authorized user just be able to modify the URL to access one of the sheets in the protected group anyway? (ie /?sheet_id=15 changed to whatever sheet number they want)
Thanks,
-Mark- This topic was modified 8 years, 5 months ago by Mark Leigh.
-
May 28, 2016 at 3:18 PM #10443Stephen SherrardKeymaster
First of all, on the page where you put the shortcode that includes the group argument, they will see all the sheets assigned to the group, PLUS ALL of their signups if they are signed in. They will see the signups for sheets that aren’t part of the group even when using the group argument, so they will be able to see a list of any of their signups on any of the group pages that you give them access to.
can’t users that are unauthorized to access the page now see a link (and click it and use it) to the sign up sheets that are in that group, as the [pta_sign_up_sheet] shortcode lists ALL sheets?
No, if you are using the other groups plugin to restrict access to certain pages, if they see the link or guess a link to one of those pages, they will still be prevented from viewing that page due to the access controls you set via the other groups plugin.
And furthermore, even if that shortcode was never used wouldn’t an un-authorized user just be able to modify the URL to access one of the sheets in the protected group anyway? (ie /?sheet_id=15 changed to whatever sheet number they want)
Yes, they could alter the ids and go ahead and view and sign-up that way. My plugin is not attempting to control access to specific sheets or check to see who is authorized to view what sheets. That would make the plugin MUCH more complex and much more expensive. The real purpose of my Groups plugin (groups was probably a poor choice of names) was to “group” the sheets into certain categories or lists for organizations that had a LOT of volunteer opportunities and wanted a way to separate them out into smaller lists.
If you’re not trusting your users to not sign-up for things they should not be signing up for (even though you could clear any invalid sign-ups yourself as admin), then my groups plugin won’t do what you are wanting to do. It’s not designed for access control.
You could add that to the feature requests section, and I may consider it for a future update. If it’s something you absolutely need right away, we could discuss what it would cost to have that developed for you.
-
June 1, 2016 at 1:43 PM #10512Mark LeighParticipant
Ok; I respect that I’m trying to make the plugin do something it’s really not meant to do, and just want to say I very much appreciate your answers in spite of that.
To clarify; if I leave a public page with the shortcode [pta_sign_up_sheet] on it (which I have to do; to allow non-restricted users to see a list of their shifts…) then the non-restricted users will have access to the “restricted” group of sign up sheets?
-
June 1, 2016 at 2:45 PM #10514Stephen SherrardKeymaster
To clarify; if I leave a public page with the shortcode [pta_sign_up_sheet] on it (which I have to do; to allow non-restricted users to see a list of their shifts…) then the non-restricted users will have access to the “restricted” group of sign up sheets?
Yes. You are correct. The generic shortcode, with no group arguments, will show all sheets and not try to limit people in any way. Never was the intention of the plugin to try to control who has access to what sheets as it was not something we needed for our school PTA site, nor was it included in the original version of the plugin (from another developer) that I used as the starting point for the code for my free plugin (we needed additional/different features, so I started with the closest plugin I could find and modified it for our school’s needs).
The free plugin is open source, and I have a TON of action/filter hooks in place to allow it to be greatly modified by not only my own extensions, but as well as any other developer that wants to do so. If you (or someone you know), is good with PHP and understands WordPress and how the action/filter hooks system works, you could probably create some add-on functions to limit access (not print out details or sign-up form) to certain sheets based on certain criteria (such as settings in the free WordPress Groups plugin, if you are using that to control access to pages).
Perhaps for a “version 2” of the plugin, at some point in the future, I will look at adding some sort of access restrictions (possibly tied to the WordPress Groups plugin), since you are not the first to ask about that. However, I can’t promise when, or even if, I’ll do that as the extensions for the free PTA plugins don’t sell enough to cover their development costs at this point, and my priorities are on my paid custom development jobs, and my much better selling WooCommerce extensions.
-
June 6, 2016 at 3:44 PM #10556Mark LeighParticipant
Hey,
Thanks for the reply. I just wrote my own access control plugin add-on for your plugin. I just need to flush out the front end and then I’ll publish it; or I can give it to you to publish as an add-on. It just adds an event based password control to a sheet. It does modify the schema to include a password field at the end of the sheets table. So far this doesn’t seem to have broken anything.I opted to avoid user/group based control as granting access to all the right users (often we have no idea who they are) would take far too much time; and we need non-registered users to still be able to sign up for shifts.
Thanks,
-Mark- This reply was modified 8 years, 5 months ago by Mark Leigh.
-
June 6, 2016 at 5:03 PM #10560Stephen SherrardKeymaster
Yes, by all means feel free to publish it on WordPress.org as a free add-on for my plugin. Or, if you want to send me the code and have me possibly make it a bit more generic (some extra configuration options, perhaps), I’m happy to take a look, and I can publish it here as a free add-on.
-
-
AuthorPosts
- You must be logged in to reply to this topic.