I am not able to get the editOwn and viewOwn ACL options to work for registered users in the sandbox. I have set the component options for Registered Users to Allowed for Edit Own, View Own and Delete Own.

When viewing from the front end, I can see ALL the items in the DB, not just the one user's. So the ViewOwn is not being enforced. I am using User: Nina as the owner of one item and User: Admin as the owner of another item. User Nina can see User: Admin's items.

I do NOT see any edit button. There is a check box, but no obvious way to edit the item.

I see the delete button, so that option appears to be working.

Another post sugested I remove and re-add the Created By and Published fields. I tried that with no change.

Am I missing somthing?

Are these items using the publishing wizard?

If they are published (true) then they will always return in public results.

Gez

Yes, I am using the publishing wizard. I can find a way to filter the results after I download the component.

The real problem is that the user (Nina) can't edit items for which they are the creator.

Works perfect for me!

So, I've created a frontend form for the user to enter their name - that's all.

Wizards

1. Author wizard with Created/Edited By and Date fields. Permissions set to allow Registered Create, Edit Own, View Own & Delete own.
2. Publishing wizard Default set to 0, prefill form (public users cannot override this anyway as they don't have edit state privilege.

The one issue is that, a user can target other users' records by pumping in the cid parameter in the url of the fly view (confirmation) layout I have created also. I guess here, we need to check in the view that the user is the owner too but aside from that, it's working as expected.

As registered user, I can only see my own records in the grid.

Hope it helps!

Gez

Fixed.

There was some ACLs problems still there.

@audibleid : thank you for your eagle eye.
You have noticed a lot of exploits