I’m not sure if this is SafeCracker-specific or ExpressionEngine-specific, but here’s my situation and question:

I’m using SC for a job-application formâ??each application submission becomes a channel entry; typical stuff I imagine. I’m using the applicant’s first and last name as the Title field, seen here in the first chunk of code:

â?¦and, using the url_title parameter as I am, it’s easy to pull up the applicant’s submitted data with a URL such as website.com/index.php/thing/app/john_smith

All is well.

BUT, then I imagine an evil John Smith saying to himself, “Hmm, I wonder if I can pull up other people’s applications using the obvious pattern I see in the URL. I’ll try jack_jones, or susan_crabtree, or billy_awesomepants,” and so on.

Now, I was smart enough to set the member group preference to disallow editing of other member’s entries and it certainly works, but it doesn’t stop Evil John Smith from pulling up other people’s entries when correctly guessing their names and sticking them at the end of the URL. So, Evil John can see other people’s data, but he can’t edit it. That’s decent, but not good enough of course.

Is there something I need to do in the SC tag(s) to basically say “The member who is logged in can only view entries generated by themselves, even if they correctly guess the url_title of other applicant’s entries.”

Is that even an SC thing, or is it an EE thing?

Many thanks for any advice/help provided!

â?¦also, I forgot to mention that I also have the following settings in placeâ??the first and third settings are set to “No,” and you’d think that first one would solve my problem, but it doesn’t. (see attached file)

You can use the author_only=“yes” parameter on your form. That’ll restrict it from being edited by others.

Ah, perfect! I saw that parameter but didn’t consider it only because it’s labeled ‘edit entry’ rather than ‘edit or view entry.’ I wrongly assumed that using the parameter would still allow anybody to view somebody else’s entries.

Thanks Rob!