Restrict ability to edit-profile on front-end to specific user groups Topic is solved

[ralphlorem]

Hello all,

I have been researching for a way that I can allow only specific user-groups to change their password on the front end using the "Edit User Profile" page.

At first, I figured that I would be able to create a menu item for the "Edit User Profile" page and assign it with an access level / permission. It appears this does not work, because when I create a test account and tick "Require password reset" it redirects me to that page after logging in.

Am I missing something in regards to the method I attempted previously? My only guess of what could be going wrong with it is that the access level is granted to the menu item itself, not the page's content.

Does anyone have any tips or advice on how I can allow only a specific usergroup the ability to change their password via the "Edit User Profile" page on the front end? Thank you.

[toivo]

Create a template override for the Profile view of Users. Go to Extensions - Templates - Templates - (for example) Protostar Details and files. Go to the tab Create Overrides and click com_users - profile from the column Components.

The override files are written into the folder templates/protostar/html/com_users/profile. Delete all the files except edit.php that needs to be customised. The following example has Author as the user group where members are allowed to change the password. Tested in Joomla 3.10.12.

Part 1 - insert the lines after the two lines loading the plugin language:

Code: Select all

// Load user_profile plugin language
$lang = JFactory::getLanguage();
$lang->load('plg_user_profile', JPATH_ADMINISTRATOR);
// mod allow only Author group to update password
$author	= 3;					// user group id 
$user 	= JFactory::getUser();	// current user
$userId = $user->get('id');		// user id
$groups = JAccess::getGroupsByUser($userId); // user's user groups	
$allow 	= in_array($author, $groups);

Part 2 - find the lines from 'Iterate through the fields' and make the changes:

Code: Select all

					<?php // Iterate through the fields in the set and display them. ?>
					<?php foreach ($fields as $field) : ?>
						<?php // If the field is hidden, just display the input. ?>
						<?php // display password only to allowed group ?>
						<?php if (($field->hidden) OR (($field->fieldname === 'password1' OR $field->fieldname === 'password2') AND !$allow)) : ?>						
							<?php // echo $field->input; ?>
							<?php else : ?>

[ralphlorem]

Thank you Toivo, I really appreciate your answer.

I've followed the steps you've provided and implemented the code, however, when I log into my test account with permissions of the "Author" usergroup ( ID 3 ), the submit button appears to be disabled and I cannot click it.

Observing the button in inspect element, I can see that the input button has a "disabled" tag as seen below:

Code: Select all

<button type="submit" class="btn btn-primary validate" disabled="">Submit</button>

If I remove the "disabled" from the button, I am able to click it and proceed, however, the password does not change as it warns me that I am providing an invalid name, username, and email. Prior to implementing the code, the ability to change my password works and does not throw the invalid inputs message.

Any ideas? I am still tinkering around with the code myself. Thank you again.

[ralphlorem]

After some tinkering, it appears to be an issue with a plugin called "System - Password Control". In the "form fields" section of the plugin, there is an option to hide a user's email address on the Profile Edit Form. If this is set to "NO", do not hide the email, it appears that the process and password reset works.

Re the permission groups issue, suddenly the input for passwords does not show if you are not an author - so that part is working. Thanks again! Will report back if I discover the conflict with the plugin

[ralphlorem]

A final update:

I've removed if (($field->hidden) from your code and used the following:

Code: Select all

<?php if (($field->fieldname === 'password1' OR $field->fieldname === 'password2') AND !$allow) : ?>

Which made the edit profile area work as intended. Additionally, I used $allow in an if statement to wrap the entirety of the member-profile form. To preface, the goal I was attempting to accomplish was to display only the password edit fields to a specific user group and restrict the ability to change anything else. Ultimately, I used some of the great information you provided me with to conceal the entirety of the profile edit form unless you belong to a certain user group.

Many thanks, you helped me a lot and I learned some stuff on the way!

[toivo]

Cheers! Happy to have been able to assist!