I have Views Data Export installed, which creates a CSV file attached to every node. This file has all of the data from a field collection field arranged as a CSV.
The only user that should be able to download this CSV file is the admin (user 1) and the user that created the node.
In Views Data Export, I can select Role as a permission, and assign it to all “Managers”, but that means each “Manager” can download other Managers data if they get the URL right. Anyone wanting to maliciously steal data, or sneak a peak at how much their colleagues are earning can simply guess the URL of the CSV file.
How would I restrict this download to the author of the node?
I have tried installing Path Rules, and creating a Rule that checks that the path of the CSV ends with CSV, and then runs a condition to check that the Nid of the currently logged in user matches one created by the author, but the download happens automatically regardless. There doesnt seem to be a path check before it is downloaded.
Stuck here scratching my head, would welcome even the slightest suggestion, or just a fresh pair of eyes! Thanks.
OK, some progression…
I delved into creating a views custom access like so…
Added files[] = couples_page_custom_access_plugin.inc
to a custom module info file
Added the following to couples_page_custom_access_plugin.inc
<?php
/**
* Access plugin that provides property based access control.
*/
class couples_page_custom_access_plugin extends views_plugin_access {
function summary_title() {
return t('Couples Page Check User is Author');
} // summary_title()
/**
* Determine if the current user has access or not.
*/
function access($account) {
return couples_page_custom_access($account);
}
function get_access_callback() {
return array('couples_page_custom_access', array());
}
}
Then added this to a custom module…
function couples_page_custom_views_plugins() {
$plugins = array(
'access' => array(
'test' => array(
'title' => t('Couples Page Check User is Author'),
'help' => t('this is a custom access plugin'),
'handler' => 'couples_page_custom_access_plugin',
'path' => drupal_get_path('module', 'couples_page_custom'),
),
),
);
return $plugins;
}
function couples_page_custom_access($account = NULL) {
global $user;
$access = false;
$account = user_load($user->uid);
$node = node_load(arg(1)); // Get the nid from the URL of the CSV file.
// If the UID of the currently logged in user matches the UID of the node author return true.
if ($account == $node->uid) {
$access = true;
}
return $access;
}
But its not really working. If I set $access = true it works, and $access = false, it doesnt, so I know the plugin is working. It must be the logic in the last bit here…
function couples_page_custom_access($account = NULL) {
global $user;
$access = false;
$account = user_load($user->uid);
$node = node_load(arg(1)); // Get the nid from the URL of the CSV file.
// If the UID of the currently logged in user matches the UID of the node author return true.
if ($account == $node->uid) {
$access = true;
}
return $access;
}
Perhaps I am not getting the author uid of that node correctly? I will look into it.