Soma

I'm sure that's a facepalm issue. Any modules installed? Custom scripts that mess with page view?

You could use the config options for page secure files...

$config->pagefileSecure = true;
$config->pagefileSecurePathPrefix = '-';

and make unpublished pages and their files will not be accessible via url.

So you could create child pages under the users page with a file field, and leave those pages unpublished. The assets directory will be prefixed with "-" which is restricted by htaccess.

But then you can use a passthru script  to send the file to the user if certain requirements are given using wireSendFile();

So for example construct the download link to the file like this on a page the user can see.

<a href="/download.php?user=1007&file=filename.pdf">Download file</a>

and in download.php with something like this for the passthru and user check

// bootstrap PW
include("./index.php");

// make sure user is logged in
if(wire("user")->isLoggedin()){
    $file = $_GET['file'];
    $userid = $_GET['user'];
    $userpage = wire("pages")->get(wire("user")->id);
    if($userpage->id != $userid) die("no access"); // make sure it's the user
    if($filepage = $userpage->child("include=all")){ // since page is unpublished we add include all
        // get the file from the page
        $filename = $filepage->images->get($file)->filename;
        if(!$filename) die("download not found");
        // send file to browser
        wireSendFile($filename, array('exit' => true));
    } else {
        die("no user page found");
    }
} else {
    wire("session")->redirect("/somepage/");
}

If you use PW form API, it will get validated if you call processInput()

$form->processInput($input->post);

I think the CSRF doesn't get reset if the CSRF was valid, but you can do it manually with

$session->CSRF->resetToken();

after validating the form.

Or if you do manual form and not use InputfieldForm you can generate and validate the token

$session->CSRF->validate(); // will throw exeption if invalid

And get the token name and value with it respective methods

$session->CSRF->getTokenName(); // name for input hidden
$session->CSRF->getTokenValue(); // token value

Also the trick renobird mentioned is also very good to prevent double click submission errors.

Of course you can still use redirect method and as you may found the $notices errors and messages are transported through redirects.

I implement the PW CSRF token in my forms so a resubmit will result in a error message.

ProcessWire Online Installer

Since there's now a shortcut to download latest stable PW http://grab.pw , I created a simple helper PHP script you can upload to your server to download and extract a new PW installation.

1. Upload this php file to the server where you want to install latest ProcessWire
2. Go to the browser and call this script. It will download and extract ProcessWire files. Once done successfully it will redirect to the installer. Downloaded zip the grabpw.php will be removed.
3. If anything fails, make sure permission are correct on server and you remove files manually in case.

Just because it's cool. There's many ways to accomplish this task if you have ssh access for example using shell. Just wanted to have this alternative and maybe people find this useful too.

@ryan. Do you think you could provide an latest dev shortcut url too?

Nicely said Ryan!

I wonder why always people with "I only know basic HTML and CSS" come with the biggest and most complex coding PHP projects that even an experienced developer would have its adventure.

Here's another idea to have a flag on the authors page you would keep track if there's any books of the author.

So a simple module that does the following on book page save

$authors = $pages->find("template=author");
foreach($authors as $author){
    $found = $pages->count("template=book, authors=$author");
    $author->of(false);
    if($found && $author->has_books == 0) {
        $author->has_books = 1;
        $author->save('has_books');
    } else if($author->has_books == 1){
        $author->has_books = 0;
        $author->save('has_books');
    }
}

After that you can simply use:

$authors_with_books = $pages->find("template=author, has_books=1);

Of course if you have  a lot of authors it may not as efficient. But it could be more optimized using a direct SQL then.

Yes, it was more of a proof of concept, but it's working fine. You just have to enter the template and fields of both ends in the module and it will take care when page is saved and map both ends.

Well ok, it makes sense, but you seem to want to list authors and not books? So you can't use simple selectors and have to fall back to use SQL to query them for which have books and maybe how many.

No big problem, either way you can run into not being able to use PW selectors. Just was thinking out of the PW page "editing" context for a moment.

I once wrote a two way relation page field module that you would have selects on both author and books and when changing one side the other will update, this way you can run simple PW query on both sides. (not saying you should use this).

My example code isn't a problem and is the most simple way in that case.

I don't think it's a big problem looping all author, I think you won't have thousands anyway?

No it's not possible with a single selector, only the other way around.

An optimized query would be using direct SQL, and could be well made into a helper module.

Example: (removed)

Edit: just realized it's not exactly what you want, need to adapt a little

This will give you pages that have a reference to them via the defined field and are published:

$pagefield = "select_page";
$query = "SELECT p.id FROM pages p
            RIGHT JOIN field_$pagefield b ON p.id=b.data
            WHERE p.status < 2048";

$res = $db->query($query);
$ids = array();
while($row = $res->fetch_array()) $ids[] = $row['id'];

$pa = $pages->getByID($ids);
foreach($pa as $p) echo "<p>$p->title</p>";

Ok since you hook Page::viewable every page in PW will be somehow affected, even admin pages as they are also just pages.

So the message with $event->object->name is the admin pages rendered in the admin template. I'd guess it's the navigation. But since the ProcessPageList module is ajax driven you won't see any messages from there.

$event->arguments is nothing there I think, as the important with these page access hooks is the $event->return value.

So you would do set it to false or true

$event->return = false; // page won't be viewable

All the viewable hook does is define if a page is viewable or throw an 404.

In case of the admin page tree the page will still be visible and only have no -view- action button. That's all.

If you really want to hide pages in the admin I'm with Ryan, but see that there's cases where it would be nice to hide pages from users and keep a branch hidden from them.

I already stumbled and tried very hard 1-2 years ago, but realized it's not easy as there's no obvious hooks available where needed and it's done with ajax and there's some things to consider, didn't really bother.

Now after thinking for some time and try error I found an easy way to just remove pages from the page list tree. The trick is to modify the JSON output that goes with the ajax response, convert it to an array and

Long story short here's an example module for those interested. I used a pagelist_hidden page field added to the user template to define pages that are hidden for a user. Of course there could be endless configuration possibilities, with roles and what not, but don't want to go any further and maybe someone else finds this useful or as a start for a new module.

If Ryan reads this and is still with me. Would you consider adding some hooks to ProcessPageList.module? Or do you think the JSON manipulation is a good way? 

Most likely there would have to be some additional take care to make those pages also not editable. Those page will still be accessible manually through admin url. Such a module shouldn't be used to hide pages for access restriction, and it's only and best suited for hiding "private" branches in the admin, or functional pages that can't be in the /Admin/ branch for some reasons.

Wel

Welcome sosoba!

This would be possible by making a hook to any of the the form building methods in ProcessPageEdit.module. All methods with three underscores are hookable. All about hooks.

Take the HelloWorld.module and add this hook to the init()

$this->addHookAfter('ProcessPageEdit::buildFormSettings', $this, 'buildFormSettings');

And then add this function to the class.

public function buildFormSettings(HookEvent $event){
    $fieldset = $event->return; // get the fieldwrapper returned
    $field = $fieldset->get("_pw_page_name"); // get the name field
    $field->collapsed = Inputfield::collapsedYes; 
}