Since version 3, plone.protect provides automatic CSRF protection.
Plone 4.3 includes, by default, plone.protect 2.0.
Can I just upgrade to start using this feature in Plone 4.3?
I have only a little experience with it and played around with plone.protect 3.x and Plone 4.3.2, but nothing serious.
I had also a lot of addons installed, so I cannot say if there were problems with Plone itself, or an addon.
Here are my notes:
Yes you can enable it, but your installation will stop work.
So... No you cannot :-)
First plone.protect.aut 3.0 handles every POST/GET request by default.
For example Session handling is a write request, so you have to fix this manually wherever it's in use!
Second writing data in annotations (IAnnotation), it's also protected by default, so have to find every place where annotations are used (For example Portlets storage) and fix it.
If your testing environment is in a good shape :-) you will get it work, but out of the box Plone 4.3 is not ready to use it.
Conclusion:
The main problem are GET requests, which ends up with a database change.
I now this is wrong but Plone 4.3 and/or mainly the addons have this behavior.
You will end up in extending the plone.protect.auto feature by a whitelist.
I wrote all the auto-csrf stuff. I would recommend against using it in Plone 4 unless you want to invest a lot of time into it.
Easiest way to fix using it on Plone 5 would be to add in some javascript that automatically protects almost everything for you when logged in. That won't deal with ZMI and then it depends on javascript to work.
JavaScript would do a couple things:
add the authenticator token to all forms that post back to the site
add the authenticator token to all admin urls that potentially do writes to the database. For instance, the "Edit" button does a write to the database because in Plone 4, AT Content Types makes a temporary object in the database. Also, it writes with locking support.
add authenticator token to all ajax requests. Use something like https://api.jquery.com/ajaxSend/ to add the token.
Related
What is the best way to get auto-reloading to work when developing my website (my website runs on Mojolicious)?
There exists a development server called morbo, and it does update what is served automatically whenever I save changes to a source file, but the website itself does not reload automatically. I must manually refresh the page to see the changes.
What is a sane way to get this behavior? I am okay with using an additional tool if necessary.
My understanding is that Mojolicious::Plugin::AutoReload can do what you want by defining a auto_reload endpoint and having the UI poll your web app to check if the UI should reload.
The module was featured on the Mojolicious blog in 2018.
I have an existing fitness site ( showing exercises on different pieces of equipment) with menus available depending on whether the user is logged in.
Not sure of the best way of doing this but I would like to access the site via a touchscreen kiosk which will show a different welcome page and menus.
I know it can be done as a clone site which would mean copying all the execise data but is there a way for typo3 to recognise the type of device, assign it as a certain user and allow user level control of the content shown?
Regards
Paul
Device detecting is very complicated and TS conditions that should work were removed from TYPO3 core some time ago.
If it is important (and possible) to detect one kind of device you may create your own TS condition (userfunc).
But maybe another option would solve your problem:
Configure another page type which gets your modified layout for the start page.
Then you only needs to make sure the inital page is called with that specific page type.
An automatic login will be complicated. maybe it would be possible to use a permanent login, where a session cookie without endtime is stored.
If you're using TYPO3 version 8.7, you could use the extension aoe_ipauth (https://extensions.typo3.org/extension/aoe_ipauth/) to automatically log in a user based on IP address. There are several other extensions that do this, but I think most of the others are old and don't work in 8.7. There don't seem to be any that support TYPO3 9.5 yet.
I have to migrate TYPO3 6.2 websites to 8.7. Some websites use custom pibase extensions, do I need to redevelop them with Extbase ?
All previous answers have been correct but some words from a TYPO3 core team member: There are no plans to drop the support of "pibase" in the core. It is absolutely ok to use that API even though it does not provide much help to developers.
However I recommend to use at least fluid standalone to be able to create nice templates without all those ### stuff.
you don't need to redevelop these extensions, but you might need to change the call to core functions.
In 6.2 you still could use the old class names like t3lib.
These class names are available only with compatibility layer (together with a lot of delay).
For the future you need to use namespaces (and the correct new classes). You also should use namespaces for your own classes.
Depending on your used functions you might need to replace some calls with the newer functions as some functions got deprecated meanwhile.
You don't need to redevelop these extensions.
Just you need to change some TYPO3 core function like t3lib_div t3lib_BEfunc t3lib_parsehtml t3lib_extMgm and more..
Please see complete example here : See more details
I want to stress test a system based on Apache Wicket, using grinder.
So what I did was that I used grinder's TCP Proxy tool to record a test session in my Application and then fed the generated test script to grinder to stress test the system; but we found out the tests aren't carried out successfully.
After a lot of tweaking and debugging, we found out that the problem was within the wicket's URL generation system, where it mixes the page version number into its URLs.
So I searched and found solutions for removing that page version number from the URLs (Like this), and used them and they worked and removed those version numbers from the URLs used in the browser. But then again, the tests didn't work.
So I inspected more and found out that even though the URLs are clean now, the action attribute of forms still use URLs mixed with page version number like this one : ./?4-1.[wicket-path of the form]
So is there anyway to remove these version numbers from form URLs as well? If not, is there any other way to overcome this problem and be able to stress test a wicket web application?
Thanks in advance
I have not used grinder, but I have successfully load-tested my wicket application using JMeter Proxy; without changing Wicket's default version mechanism.
Here is the JMeter step-by-step link for your reference:
https://jmeter.apache.org/usermanual/jmeter_proxy_step_by_step.pdf
Basically, all I did was running proxy server to accept web requests from the browser to capture the test scenarios. Once done collecting the samples, then change the target host url to whichever server you want to point to (other than your localhost).
Alternatively, there is another load testing tool BlazeMeter (compatible with JMeter). You could add the chrome browser plugin for quick understanding.
Also, you might want to consider mounting your packages to individual urls for 'cleaner' urls. That way, you have set of known urls generated for pages within same package (for example, /reports for all the reports pages within reports package).
Hope this helps!
-Mihir.
You should not ignore/remove the pageId from the urls. If you remove them then you will request a completely new instance of the page, i.e. you will lose any state from the original page.
Instead of using the href when recording you need to use the attribute set (by you!) with org.apache.wicket.settings.DebugSettings#setComponentPathAttributeName(String).
So Grinder/JMeter/Gatling/... should keep track of this special attribute instead of 'href' and later find the link to click by using CSS/XSLT selector.
P.S. If you are not afraid of writing some Scala code then you can take a look at https://github.com/vanillasource/wicket-gatling.
I started looking into OwnCloud app development to add some capabilities I would like to my server. To me it seems like Apps can't modify anything like the Login page or User Management page. Is this the case?
I want to build a user registration app and would love to integrate it into the user management page (if not and it has to exist as its own app page not a big deal). The one big problem I see so far is not being able to add a "Register" link to the login page. I could just go in and add it to the source manually, but I would like to keep the App self contained so others can use it too.
If this is not possible to do in an App I may just need to modify the core application and then see if they will accept my feature addition in a pull request.
Thanks to anyone who can shed some light on this for me. I don't want to waste my time trying to figure out how to do it with an App on the platform if it wont be doable.
After a lot of digging around I did figure out a way to do this.
In the App's app.php file, you can force a script to be loaded if the plugin is enabled:
$api->addScript('script_name'); // without .js
In that script jQuery can be used to add the elements to the page where you need them.
This was a good solution for me since I only needed to add a single button to the login page. I can see this being a bad idea if you want to make vast modifications. At that point you might as well just create a separate page that you have full control over.