Protecting Expression Engine entries from accidental deletion

Posted on in expressionengine

Some entries are really important

If you make EE sites the way I do, you probably have a few entries kicking about that just have to be there. Perhaps a welcome panel on the home page, the contact details for the footer or some essential call to action panel. You probably want your client to be able to edit these too, after all, that’s what a CMS is for.

Now, if your clients are anything like some of mine, they tend not to use these kind of systems day-in, day-out. The website is often an extra responsibility and quite frequently they forget how it all works and press the wrong button.

It may seem unlikely that someone would go through a double-submit confirm procedure to delete the home page of the site but somehow it does happen. So how to stop it? EE comes with a number of settings that we can use. Two obvious ones are:

  • Can delete their own channel entries
  • Can delete channel entries authored by others

We could make use of these to keep really important entries safe, but it often leaves other content too restricted. I’ve now settled on a way of tackling this that seems to keep things as safe as they can be.

Use entry_id in your templates

I’ve stopped using url_title when I need to hard-code an entry into a template. entry_id is much safer as the client can’t accidentally change it “to see what happens”. In fact for something like a home page I’ll often grab several at once and then use if statements to handle the layout.

{exp:channel:entries channel="static" entry_id="2|3|4|5" dynamic="off" orderby="entry_id" sort="asc" disable="categories|category_fields|member_data|pagination|trackbacks"} {/exp:channel:entries}

Use the revisions system

Always turn on versioning in your channels, even if you don’t plan to use it. The overhead is not huge and it covers you from over-enthusiastic clicking of the submit button (at least for a few clicks).

Give your client a manual

And make it clear and simple. Explain how status, entry date and expiration date can affect the display of an entry.

Use an extension to protect key entries

The above takes care of a few common problems:

  • Clients editing url_title for hard-coded entries
  • Clients closing an entry via status or entry / expiration date

Well, if not totally fix, at least do what we can. That just leaves deletion. This can be prevented by what must be the simplest extension ever. First off, add a line to your config file as follows:

$config['protected_entries'] = array(1,2,3,4,5);

where the numbers in the array are entry_ids you want to protect.

Now create and install a very small extension. I’m just going to include the whole code here as it more or less explains itself.

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); class Dmlogic_ext { public $settings = array(); public $name = 'DM Logic'; public $version = '1.0'; public $description = 'DM Logic extensions'; public $settings_exist = 'n'; public $docs_url = 'http://dmlogic.com'; // ----------------------------------------------------------------- private $protected_entries; // ----------------------------------------------------------------- public function __construct($settings='') { $this->EE =& get_instance(); $this->protected_entries = $this->EE->config->item('protected_entries'); } // ----------------------------------------------------------------- /** * delete_entries_start * * Halts the entry delete routine if a match found against protected entries */ public function delete_entries_start() { $to_delete = $this->EE->input->post('delete'); if(empty($to_delete)) { return; } $result = array_intersect($to_delete, $this->protected_entries); if(!empty($result)) { $this->EE->output->show_user_error('submission','You are attempting to delete protected entries'); } } // ----------------------------------------------------------------- /** * Enable the extension */ public function activate_extension() { $this->EE->db->insert('extensions', array( 'class' => __CLASS__, 'method' => 'delete_entries_start', 'hook' => 'delete_entries_start', 'settings' => '', 'priority' => 1, 'version' => $this->version, 'enabled' => 'y' )); } // ----------------------------------------------------------------- /** * Disable the extension */ public function disable_extension() { $this->EE->db->where('class', __CLASS__); $this->EE->db->delete('extensions'); } // ----------------------------------------------------------------- /** * Update extension */ public function update_extension($current='') { if ($current == '' OR $current == $this->version) { return FALSE; } $data = array(); $data['version'] = $this->version; $this->EE->db->where('class', __CLASS__); $this->EE->db->update('extensions', $data); } }

All this extension does is make sure there is no match between your protected entries as defined in your config file and the current delete request. If there is, a standard EE error message is shown.

So there we go, it’s not a magic bullet but it does mean if something vital disappears from the website it’s recoverable very quickly via the EE control panel.

Comments