-
- 24,544 Posts
I’ve got a Revo version of NewsPublisher that more-or-less works. Now I’m wrestling with security for it.
At present, it can reject users based on properties for group membership(s) and/or permission(s) (including custom permissions). Obviously a user could restrict access to the NewsPublisher page itself with ACLs.
NP can create a page or update an existing page. I created an edit button (a la QuickEdit) that launches NP for the current page. The edit button can be restricted (removed, actually) based on groups or permissions as above. The ID of the page to be edited is in the $_POST array when the button is clicked, as is a variable indicating that it’s an existing page. That means that an outside user who knows how can edit any page on the site unless the NP snippet’s security stops them.
I can require that the user be logged in, but some people might want to allow anonymous posts on a blog. For editing existing pages, I could require createdby == userId, but that might prevent multiple editor scenarios that some people would want.
I’m assuming that there’s no bulletproof way of making sure a page request came via MODx itself.
I’m also wondering if I should always check for the appropriate built-in permissions since they aren’t checked by $resource->save(). I hate to do it because the snippet won’t work for anyone out of the box. We could use some snippet security guidelines for front-end snippets that modify MODx objects with some advice on sanitizing user input as well.
Any other ideas or suggestions?
-
- 24,544 Posts
