I am using moodle 2.8
I wants to confirm user before edit course.
Basically I have a category name ex. 'Live' category
So when user move course into 'Live' category then want to show confirm box and if he click on yes then course will be update otherwise redirect to course edit page.
This will require changes to the Moodle core code (not usually a great idea, for ongoing maintenance) and would probably be a bit fiddly to implement - you would need to store all the submitted details somewhere in the confirmation form, then re-send them along with the confirmation.
It might be easier to make a small core code change to prevent the user from ever moving the course directly into the 'live' category (adjust the 'validation' function in the form submission), then have a separate admin page (within a local plugin, or maybe a block), that listed all the non-live courses and gave the option of moving them into the 'live' category (with the appropriate warnings / confirm action).
Related
I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.
So here's the situation and I cannot figure out how to accomplish it.
I have a content type called "Alert". Each instance of this content type needs to have a webform (really just a submit button with hidden fields), that users click to acknowledge they have read and understand the alert. Ideally once submitted, the form should be replaced with a message along the lines of "You have marked this alert as read."
I do have a webform created (displaying as a block to be able to place within the variant page set up for the Alert type) and can get it to appear on each instance, but users can submit multiple times on each alert (submissions are set to unlimited as if i set it to 1 submission per user, the form does not render after the first submission on any alert). Additionally, once they click on one instance of the form, every additional instance will result in a message stating they have already submitted the form.
So I really have two issues. First, and most importanlty, allow a single submission per node (without the "already submitted" notice). Second, not required but would be nice, once it has been submitted for a specific node, the form no longer renders on that node for that particular user. Anyone have any ideas on the best way to accomplish these two aspects?
I'm running on Drupal 7.56, using the AT_Panels_Everywhere theme, Webform module Version: 7.x-4.15.
In drupal 7, with webform 7.x-4.0, you can enable webforms within a content type. To do so:
Go to Structure > Content Types
[Respective content type] > Edit
In the bottom left section, find the Webforms Tab and choose Enable webforms for this content type.
Based on your use case, I'd recommend enabling that and installing the node clone module. Then you can make one alert node, setup the webform, limited to one submission per user and allow content managers to clone content. That node can serve as a template.
I'm currently working on a user registration form for a site I'm working on. The site requires a lot of information about users up front, and I'd like to break it down into stages.
The first stage requires the user to put in an identifier in the form of an order number. I would then check the order number exists in the system before making them continue to fill in the rest of the fields. I'm not sure how to go about doing this.
What I've managed so far though is to override the underlying User, RegistrationController and RegistrationFormType and render out a customised view with the relevant form fields.
An overview of the process I'd like would be:
FORM: ask for order number
process form and check order number exists (if not go back to 1)
FORM: ask for user information
process user information and store
complete
Simplest way of doing it will be to override registration template, and hide all fields except those you wanna show in first.
And than add some js validation rules, - to show up parts of form based on values prefilled by user. In that case you do not need to rework Sonata registration form, but for user experience it will be the same.
I have problem with my x-cart website. When I click on "Buy Now" button on one product, and after that I click on "My Cart" which is the checkout section, it returns that my cart is empty although I already click to buy product.
Here is my website: http://www.farlin-cambodia.com/home.php?cat=591
How can I fix it?
The store you're referring to is of version 4.1.6, that's an old version where there were no adding to cart without redirect (with ajax). The behaviour in question is still there, thus the feature is added as a custom mode.
If JS is enabled in the browser, and if the store considers that it's enabled, the JS script is supposed to send some data to script minicart_content.php, and the php script is to process the received data further. However it doesn't happen, and there are no JS errors, which makes me believe that the problem is in the code of minicart_content.php, with this file is very likely being modified too.
If JS is disabled in the browser ( and if you click the corresponding button in the store in the pink side menu block - "If Javascript is disabled in your browser click here"), this custom scenario is not applied, so the store uses the default functionality which allows to add the products to cart with out problems.
Thus, the possible solution is:
roll back the custom changes you implemented, and use default functionality (adding products to cart with a redirect to cart page)
or
check the minicart_content.php script and find out, why it doesn't want to properly process the data sent by JS script
If you're not sure how to achieve this, consider contacting X-Cart support team for further investigation. Not sure if I can give a link to X-Cart support here, but I'm sure you'll easily find it, if only try to search=)
I have a feature that gets installed using a WSP package, when the feature is activated, I would like the following to happen:
The feature will contain a list definition.
When the feature gets activated by an end user (the user physically clicks the feature activation button in site features admin) - I would like a modal dialog to appear then ask the user to provide some additional details.
3.1 The additional details will be supplying a certain number of names. For example Mary, John, Peter. Form logistics I can handle.
Once the form is complete that information needs to somehow get back to the feature reciever, so that I can then take the base list definition, and use it as a template to create list instances for all the names supplied - so if user had supplied Mary and Peter, then 2 list instances will be created when this feature is activated.
Is any of this possible with MOSS 2007? Thank you
There's no way to "hijack" the feature activation process in sharepoint. The (crude) solution would be to create a feature that deploys an application page (aka layouts page) and the list template/definition. On the page there should be a bunch of textboxes and a submit button.
The feature should have a receiver attached to it that after activation redirects the user to your page using HttpContext.Current. After entering all relevant data in the page ( Mary, John, Peter, etc.) just create the lists based on the list template deployed earlier from code using something like:
SPListTemplate listTemplate = web.ListTemplates["YOURLISTTEMPLATENAME"];
web.Lists.Add(listName, description, listTemplate);
There is 1 caveat though, IMHO a dealbreaker even. this won't work when the feature is activated using stsadm, seeing as there is no HttpContext!!!