Hiding path in shop templates

Author Message

Richard Lundberg

Monday 16 August 2010 4:32:08 pm

I want to turn off the path display in certain shop views, in particular customerorderview and orderview in order to prevent a customer having access to the entire order list of all customers.

(I have enabled shop/adminstrate rights to customers so they can review their orders, but this gives the access to view all orders!!)

I have added

{set scope=global persistent_variable=hash('left_menu', false(),
'extra_menu', false(),
'show_path', false())}

to the top of the customerorderview.tpl template as this seems to be the method via ezpagedata() used by the frontpage template to turn of the path, but it does not seem to work for the shop template.

This is on 4.3

Any ideas?

www.peakm3.com

Peter Keung

Friday 27 August 2010 9:42:56 am

Have you tried ezpagedata_set?

However, even if you disable the link to the full order list, people can still access the URL directly. And even without "administrate" rights, it's easy to manipulate the shop/orderview/<order_number> URL to view other orders. Some workarounds for this privacy issue I've used in the past include building separate views or creating override templates with hack-ish permission checking.

http://www.mugo.ca
Mugo Web, eZ Partner in Vancouver, Canada

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.