I'm using dragula js for ordering elements based on user personalization. Once the personalized order is in place I want to create a shareable link with the order so that when the page is loaded with this link, the elements are displayed in the set order. Is that possible with dragula or should I create something custom. Any insights into this would be helpful. Thanks in advance!
This is possible. My approach would be to use a url that defines the order.
When an item is dropped, update your order.
Use a url that has the order (in some form) in the url.
For 1, dragula has a 'drop' event, and on that event you can re-calculate your order. And for the url that has order in it, for example I would show you coolors.co. It does even have some drag and drop, but I did not check if it was dragula specifically.
Basically, you reorder, and get a new url that reflects that, and the url contains your order so when you share it, it maintains your preferred order.
Related
So, I am trying to set the target ID for an elementor template using a short code ... e.g. can I use a shortcode like: [elementor-template id="15639" postid="9999"]?
Here my intention is to reuse an elementor template which pulls the data from post #9999 into the template. The next one might be #10078, etc. Is this possible? I can't seem to find the answer or I am searching for the wrong terms. Thx much! --Dano
P.S. The elementor template I created uses a Modal Widget, so the user can click a thumbnail (from post #9999) and then get an enlarged image (diagram) + all the data regarding the diagram (using ACF). To be clear, I am using a single post template type, NOT an archive. I don't want to create many elementor templates. I want one template that reuses the post data from a preset ID. Of course, the current page or post (that the user is on) is not the target ID I need, thus my question ... Maybe I need a custom query that will allow me to set a target ID in the shortcode?
Thx in advance!
I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.
What's the best practice to be able to store fluid form variables as a bookmark (for simple search filter storing)?
We have a simple extbase&fluid plugin that shows searchfilters and searchresults. The filters are a collection of input and select fields, all created with . Fluid puts in a lot of extra parameters with _referred information and chash's into the request.
Now we want a visitor to be able to bookmark a search result easily. If we use a HTTP GET request, the URL sadly exceeds the URL variable limit because of all the extra parameters; and without them, the fluid plugin won't take on the arguments (unless we disable caching of the whole page?).
The best way (imo) is to generate a clean url that can be stored. In Fluid you can add a link with only the parameters you need and add an onclick event with JS to add this link as a bookmark.
<f:link.action action="yourAction" controller="yourController" arguments="{filterArguments}">Add Bookmark</f:link.action>
How to add the bookmark function with js(jQuery):
How do I add an "Add to Favorites" button or link on my website?
It is also a good practice to configure realurl to produce nice urls for your extension
Below is an image of the sections I'm talking about:
What I'm doing is very similar to eBay:
1) a form at the top for "search terms" and then a category.
2) filters on the left that a user can click to refine the search even further.
3) sorting those results.
I played with eBay a bit and it looks to me like they are posting back every time a filter (box on the left) is clicked, or when they sort the results. Do they then store a copy of all the "settings" used to display the page in the form and use that to post back on a submit click?
How can I emulate this functionality? I don't like the idea of wrapping an entire page in a form element... it seems dirty. Should I use jQuery to collect all of the user input and then somehow pass it along?
I'm not sure how eBay does it, but if it were me, I'd have some javascript object that keeps track of all the search options on the page. Each of the elements you've highlighted would fire an event that would cause my javascript object to update this information, send it via AJAX to a controller action, and update the results area with the changes.
That's a somewhat simplified version of events, but hopefully it can put you on the right track.
I've decided that the best solution is to use jQuery Ajax. Otherwise, I'd have to make sure that every peice of user input is a form element and wrap the entire page in a form tag.
This is my first time posting - I greatly appreciate any and all guidance on this subject.
Background: I am building a Real Estate web site. I would like to use the free IDX data provided by my local MLS board. The MLS board does not allow me the option of displaying a predefined search and only provides me with a link to the search field. after filling out the search field, I am able to view the results.
Goal: I would like to bypass this step and frame the results page into a GoDaddy website I am building, which supports HTML.
Here is a link to the search page:
http://fgcmls.rapmls.com/scripts/mgrqispi.dll?APPNAME=Fortmyers&PRGNAME=MLSLogin&ARGUMENT=vBSJvLQtMcbg7F0O0KnXDiggv%2F12B0S6Ss9wv4510QA%3D&KeyRid=1
I am trying to only show the listings that appear in my neighborhood. Options include:
1. Property Type - Residential
2. GEO Area - FM11
3. Developments: Fiddlesticks Country Club
Once this criteria is entered, I have the page needed to make this project work.
Thank all of you for taking the time to read this and for the time you spend helping me out.
Best regards,
Chris
Without looking at the page itself, it's probably doing a "POST" operation to give the form to the website. You should be able to use javascript (maybe jquery or some other ajax framework) to do this for you in the frame and have it display the results.
-Adam
So long as this is a POST form and they aren't doing a lot of strict referrer checking, the following should work:
Replicate the form on your own site.
Make a few minor changes to automate a few of the fields to better serve your geographic area/company.
Ensure everything is a full path and not relative to the server handling the query.
You will probably end up changing a lot of the text/select fields to hidden fields with pre-set values to keep it simple for end-users. The server handling the request won't know the kind of field it came from, just the value and name.
I took a look at the page HTML, the form posts is defined thusly:
<FORM action="/scripts/mgrqispi.dll" method="POST" name="InputForm" />
you may be able to create your own form defined like this:
<FORM action="http://fgcmls.rapmls.com/scripts/mgrqispi.dll" method="POST" name="InputForm">
</FORM>
You will have to go through the HTML on the page you provided to get the appropriate ID's and Name's of the form elements you are interested in. Its possible their processing page checks to ensure its their form that is submitting to it, in which case this wouldn't work.
good luck.