agileware-fj
commented
4 years ago Aaaand I just discovered a flaw in this where it updates the logged in user as well. Better fix that, I guess.
Closed agileware-fj closed 4 years ago
agileware-fj
commented
4 years ago Aaaand I just discovered a flaw in this where it updates the logged in user as well. Better fix that, I guess.
agileware-fj
commented
4 years ago Okay, the incorrect updating is fixed. I've confirmed that this works with the logged in user and no cid specified also.
Overview
Allow cid=n in the URL to load other contacts when logged in
Before
When logged in, only contact information for the logged-in user can be used to prefill forms.
After
If a cid=n parameter is provided to the form, it checks if the user has permission to edit that contact and loads it instead. If the logged in contact does not have permission to edit the specified contact, no contact is loaded.
Comments
This changes the behaviour where cid is ignored when the user is logged in.
I think this is justified as loading the contact of the currently logged in user when a cid is specified is significantly unintuitive and can cause unintended data changes, like users overwriting their own contact details. It's better to load no contact and create a new one than to update the wrong contact.