[Resolved] Grant/revoke access to image visibility based on user

This thread is resolved. Here is a description of the problem and solution.

Problem: I want to grant or revoke access to certain content on a single post and user basis. Is this possible using Toolset?

Solution: Partially it is natively possible using Access, but for example, to allow or disallow access to single fields by posts by users, you'll need some custom code.

The core idea of this code is explained here: https://toolset.com/forums/topic/grant-revoke-access-to-image-visibility-based-on-user/page/2/#post-1489243

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

This topic contains 32 replies, has 2 voices.

Last updated by Silvia 1 month, 3 weeks ago.

Assigned support staff: Beda.

Author
Posts
#1488657

Okay, we're on step 5 done.

>6. When granting access, we have several options, but I think the easiest is since the admin is going to manually approve access, to >have a user Field in the User profile to store the Tessuti (post IDs) that user has access to.

What format should that field have? is plain text ok? Is a single field ok or do i have to create a group field (if it is even possible with users)?

#1489243

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

If your admin is going to add each user's permission for each post manually, and no further automatic workflow is required, a simple single-line field will do.
The Admin will then have to enter the Post IDs to which the user has access to, by comma-separated ID's.
For example, if the user now has access to post ID 3, 303 and 400, then that is what we enter as Admin in the respective users's profile:

3,303,400

If one of these posts need to be removed, we remove the Post ID.

Once such a field is populated we can check on its values, for this we'll get the value of that field with a Custom code.

We need a ShortCode, or function, that gets the user field (get_user_meta()) and then explodes the content at each comma, removes each comma, puts the IDs in an array, and compares it to the current post

Hence our ShortCode

function user_can_see( $atts ){

	$current_user_id = wp_get_current_user()->ID;
	$field_value = get_user_meta($current_user_id,'wpcf-user-can-see', true);
	$field_values_array = explode( ',', $field_value );
	// error_log(print_r($current_user_id, true));
	// error_log(print_r($field_value, true));
	// error_log(print_r($field_values_array, true));
	// error_log(print_r(in_array(get_the_ID(), $field_values_array), true));

	if (in_array(get_the_ID(), $field_values_array)) {
		return true;
	}
	else {
		return false;
	}

}
add_shortcode( 'user-can-see', 'user_can_see' );

You need to register this ShortCode in Toolset > Settings > Front End Content, after amending it to your needs.
Then, you can use it in an HTML condition, like so:

[wpv-conditional if="( '[user-can-see]' eq '1' )"]
  Display here the actual picture you want to hide generally but show only to users who have access to this post images 
[/wpv-conditional]

The above will be true only if the user who's logged in has the ID of the Post viewed saved in his profile.

The code will need some amendments, such as a check for if the field in the user profile is empty, or invalid. But for a starter to custom code, this should be a leading way.

#1489795

Hi Beda, thanks for you answer. Before I start implementing the code you provided, I must ask a question that most likely my client will ask me: will the admin have to add ( and remove) the ID'S of the textiles that a client can see MANUALLY?
Because I know that my client won't be completely happy with this solution. On the other hand, if any other solution implies the creation of a lot of custom code that (understandably) you guys don't provide, this solution will have to make do.

#1491659

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

That is what I was asked repeatedly in the previous messages.
The Admin has to add the IDs manually.

You mentioned the Admin will respond manually to the user request, and even send these users an email mentioning the access granted.

Since the Admin is adding these privileges manually, there is no other way around this.
The Admin will somehow be informed about the access request.
In that request, you could include the Post ID already, so the Admin just needs to copy-paste that into the user's field.

One can do all this automatically, of course, with a Toolset Form, but that requires more custom code, where the Admin will submit a Form to approve access (for example) and the IDs will be passed to the respective User automatically.

For example, you could have a Form that updates the user, and a generic checkboxes Field populated with a View to generate a checkable list of posts to which that user can be set to have access to.
Then you would add custom code hooks to cred_save_data() so when the form is submitted, the user field (single line with the Post IDs) gets updated.

This, however, requires more custom code, which I cannot fully prepare here, I could only assist and guide along.
I could help but you would have to mainly craft the custom code - I could not prepare a fully ready to use solution for this, due to the Support Guidelines https://toolset.com/toolset-support-policy/

This is why I wanted to clarify what you required before I created the above example, which implements it with a manual add of the ID

If you require particular help for custom code that is above the Toolset Support, which seems to be the case for this project, we can also recommend https://toolset.com/contractors/

There are other solutions, such as using a Role and upgrading the user who requests access to that role once the Admin grants access.
But this will mean the entire Role (all users of that role) will have access to the particular posts/pictures.

If you are not fully comfortable with Custom Code (mainly for maintenance) I would suggest referring to a contractor, if required.
If you are comfortable with, I can help you along creating the mechanism.

#1491725

Beda, thank you again for answering.
I'd say that the "manual" solution is ok for now. If my client doesn't feel comfortable with this solution I will inform him that a more customized solution will have to involve a contractor with a specific cost.
So, just for recap: I already implemented the form through which the client asks for access to a specific fabric. The admin receives an email with the client's data and the name of the fabric (still in troubleshooting with Chris Cox). I have created a text field into the user's profile in which the admin will have to insert fabric id's separated by comma.
Let's proceed from here.

#1491727

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

OK, in this case, you can go ahead adapting this to your site:
https://toolset.com/forums/topic/grant-revoke-access-to-image-visibility-based-on-user/page/2/#post-1489243

That should solve this for now, and you can still populate that field later with some more advanced code, if required.

#1495407

Beda I am sorry for the delay but I am still having huge health problems, I'm in and out of hospital and I am trying to solve this as quick as I can.
I think I did everything you instructed, I even created a client user and tested the whole procedure. Unfortunately the image is not showing properly. Also for a reason that I personally can't understand, if you click on the name of a textile in the TEXTILES page, instead of displaying the content template with the fabric data, it shows the image directly.
Can you help?

#1495787

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

can you show me an example of a User Profile I can edit, and a Post that User Profile should have access to its images so I can doublecheck?
I will obviously also need login data for that test user, along with the current Admin account

Please open a new ticket for any other issue, such as links or content templates not working as expected.
Let's focus on the image permission and visibility issue here.

#1495929

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

You didn't create a single line field but a repeating field for the user profile.

Please create a single line field, not repeating, and add the IDs of those posts as instructed, comma-separated.

Then it will work if all the rest was implemented as suggested.

Can you test?

#1495931

I'll test now and report to you

#1495933

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

Thanks

#1495943

Beda I tried to test the procedure but since the view on Tessuti page is not behaving as expected, instead of viewing the custom template of the textile, I get to see the lightboxed image of the textile when I click on the name of the textile. I feel like giving up.

#1495999

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

I do not understand how that is related to the content control (who has access to)

The Content Template for Tessuti is here hidden link
You added the condition at the bottom, like so:

[wpv-conditional if="( '[user-can-see]' eq '1' )"]
  <a href="[types field='immagine' size='full' output="raw"][/types]"><img src="[types field='immagine' size='medium' url='true' resize='crop'][/types]"/></a><hr>
[/wpv-conditional]

To make sure everything is working I checked what [user-can-see] outputs by simply inserting it into that template.
The ShortCode didn't execute, it was shown as [user-can-see] in the front end.
That usually means the code is missing - but I see you added it here hidden link, however it wasn't active.
As soon I activated it, it started working but did evaluate as "false".

Clearly this was because in the client user profile "User can see" field, you added 5501,5511, but not 5512, which is the post you mentioned this user shall have access to.
If you visit either 5501 or 5511 (hidden link, hidden link) you will see the Shortcode outputs true.
The image will then be visible.

Note, I have changed the custom code to output a STRING (true or false) instead of a BOOLEAN, and adjusted your HTML Condition accordingly, so it can be made visible in the front end when debugging like above.
You could change that back to use booleans or simply leave as is.

#1496023

I see you visited the url to the textile directly, instead of going on page TESSUTI and chose the textile to view.
So now this looks like it's working, I have to adjust things so that if the client actually can see the image, the locked-image placeholder and the request to have access to the textile are hidden.
Do you have other details to add to this code or can we call it resolved?

#1496027

Beda
Supporter

Languages: English (English ) Spanish (Español ) German (Deutsch )

Timezone: Asia/Ho_Chi_Minh (GMT+07:00)

The code was fine.
I only changed what it outputs so it's readable for a human when debugging.

Activating the code was what was missing and before that, the field was repeating as well.

Now, it should work.
I missed I should visit the TESSUTI page and there is in fact no such page.
I assumed you mean "I Tessuti", but the shortcode is not used on that View used on that page.

Is there still an issue with the control of access to those images?