So here's the situation and I cannot figure out how to accomplish it.
I have a content type called "Alert". Each instance of this content type needs to have a webform (really just a submit button with hidden fields), that users click to acknowledge they have read and understand the alert. Ideally once submitted, the form should be replaced with a message along the lines of "You have marked this alert as read."
I do have a webform created (displaying as a block to be able to place within the variant page set up for the Alert type) and can get it to appear on each instance, but users can submit multiple times on each alert (submissions are set to unlimited as if i set it to 1 submission per user, the form does not render after the first submission on any alert). Additionally, once they click on one instance of the form, every additional instance will result in a message stating they have already submitted the form.
So I really have two issues. First, and most importanlty, allow a single submission per node (without the "already submitted" notice). Second, not required but would be nice, once it has been submitted for a specific node, the form no longer renders on that node for that particular user. Anyone have any ideas on the best way to accomplish these two aspects?
I'm running on Drupal 7.56, using the AT_Panels_Everywhere theme, Webform module Version: 7.x-4.15.
In drupal 7, with webform 7.x-4.0, you can enable webforms within a content type. To do so:
Go to Structure > Content Types
[Respective content type] > Edit
In the bottom left section, find the Webforms Tab and choose Enable webforms for this content type.
Based on your use case, I'd recommend enabling that and installing the node clone module. Then you can make one alert node, setup the webform, limited to one submission per user and allow content managers to clone content. That node can serve as a template.
Related
I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.
I have a submit form that is once displayed in a PopUp and once shown normal on the page. So I created it in a storage folder and used "insert record" for said plugin twice.
When I submit one of the shown forms, it will be executed twice. Anyone ever had this kind of problem?
The contact request form is selfmade.
You need to distinct your two plugins from each other. I assume you have two times the same plugin on the same page. If you submit your form, both of the plugins respond to the request, because they both feel responsible for it.
If you could give one of the plugins a different name, it would just respond to its own form, and the other plugin would not respond to the other plugins form.
try to modify your plugin so you can configure it to only show the form.then you use two different CEs: one to show only the form, the second to show the form and to handle the submit.
Other possibility: while you are handling the form store the information about handling somewhere and avoid a second handling on the same call
I'm not sure if it's possible to do what I'm hoping, but maybe I'll get lucky. It has to do with setting form fields in a SharePoint 2010 list, using InfoPath forms.
Basically, I have one list with requests from several vendors. Each vendors has their own requests page which is a Web Part Page with one web part: a list of submissions with a custom view applied that filters it only to them. This is a (clunky but functional) way to ensure each vendor only sees their own requests. To submit a new request, they click on the "Add Item" link at the bottom of the list web part. At this point, a customized InfoPath form pops up, and they add their request.
In the form, one of the fields is "Vendor". What I would like to achieve is to have the InfoPath form read something on the page which tells it which vendor's page it was called from and pre-select that vendor (I could then disable the control so they couldn't change it). I am happy to alter the calling page as needed, or to configure the InfoPath form (can you custom-configure GET or POST values or anything to define a field that way?).
Any help would be very appreciated.
I am using moodle 2.8
I wants to confirm user before edit course.
Basically I have a category name ex. 'Live' category
So when user move course into 'Live' category then want to show confirm box and if he click on yes then course will be update otherwise redirect to course edit page.
This will require changes to the Moodle core code (not usually a great idea, for ongoing maintenance) and would probably be a bit fiddly to implement - you would need to store all the submitted details somewhere in the confirmation form, then re-send them along with the confirmation.
It might be easier to make a small core code change to prevent the user from ever moving the course directly into the 'live' category (adjust the 'validation' function in the form submission), then have a separate admin page (within a local plugin, or maybe a block), that listed all the non-live courses and gave the option of moving them into the 'live' category (with the appropriate warnings / confirm action).
I have a form on the home page of quotedjobs.com that I would like to persist the field values of across pages.
For example: A user enters some values in fields, such as job title (textbox), job type (list) and job description (text field). Underneath that I ask users to register on the site, but they have the option to click a link to allow them to login if they are already members.
What I would like to be able to do, is to redirect users to another form that is a copy, but allows them to login instead of register, but keep hold of the values that they entered in the title, type and description form of the previous page so they aren't losing their work.
I have seen the ninja_forms_processing variable in the docs, but I'm not clear on how to use that.
TL;DR - You can't.
As it was slim pickings here, I sent an email over to support. Got this response:
Hello,
At this time this use case is not possible in Ninja Forms. The plugin is currently unable to transfer data from field to field or between forms.
I’m sorry that we do not have a better solution for you at this time.
Thank you,