I have a drop down element on a shipping form that uses a dbjoin to pull a list of company names from an addressbook table in the database - only specific to this user by filtering based on the user ID which is also stored in the addressbook table to filter on.
The drop down element has the following has the following join for the sql statement to ensure the list of items is for this user:
Additionally this drop down has the access details configured to show based on the logged in user ID.
I have enabled the option to add new addresses from the shipping form I have created.
-----
When the user logs in and navigates to the shipping form loads the drop down only shows the logged in user their addresses in the drop down ad when the user selects the company name in the drop down it will populate the address field elements on the page.
This works as expected.
-----
When the logged in user clicks the ADD button to add a new entry from the public side, and saves the details, the drop down element seems to reload so the new option is in the menu to select.
HOWEVER - the drop down now includes ALL USERS' addresses, not just the logged in user.
The drop down should use the same access and join filter data I have configured for the drop down element and NOT ignore it on the reload.
I have looked all over the forums and at all the documentation and I am pretty sure I have set my form and elements with access rights correctly. So this might be a bug,
Hopefully I an get some assistance with this ASAP, a fix or update to the element. This is preventing me from making my website live since it has a security issue exposing other users' data.
The drop down element has the following has the following join for the sql statement to ensure the list of items is for this user:
Code:
WHERE `user_id` = {$my->id}
Additionally this drop down has the access details configured to show based on the logged in user ID.
I have enabled the option to add new addresses from the shipping form I have created.
-----
When the user logs in and navigates to the shipping form loads the drop down only shows the logged in user their addresses in the drop down ad when the user selects the company name in the drop down it will populate the address field elements on the page.
This works as expected.
-----
When the logged in user clicks the ADD button to add a new entry from the public side, and saves the details, the drop down element seems to reload so the new option is in the menu to select.
HOWEVER - the drop down now includes ALL USERS' addresses, not just the logged in user.
The drop down should use the same access and join filter data I have configured for the drop down element and NOT ignore it on the reload.
I have looked all over the forums and at all the documentation and I am pretty sure I have set my form and elements with access rights correctly. So this might be a bug,
Hopefully I an get some assistance with this ASAP, a fix or update to the element. This is preventing me from making my website live since it has a security issue exposing other users' data.