I'm trying to create a reference registration system in Wordpress. The idea is that the user will click a link which will contain wp-login.php?action=register&ref=12345
I'm hooking into the 'register_form' action hook and adding a reference number hidden input and on registration use that reference number to do whatever i need to do with it.
The issue appears when the user gets something wrong in the registration form. The problem is that he will be taken to wherever the action attribute of the register form states which is "wp-login.php?action=register" without the ref parameter. I'm looking for a way to modify that action attribute. I've looked in the wp-login.php file and it seems that there's no filter there.
I know there's always javascript, but is there another wordpressy way to do this?
I think you'll get tons of clues from this affiliates plugin, you can download it and checkout the code from http://wordpress.org/extend/plugins/affiliates/
Good luck,
Virgil!
Related
I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.
I have a submit form that is once displayed in a PopUp and once shown normal on the page. So I created it in a storage folder and used "insert record" for said plugin twice.
When I submit one of the shown forms, it will be executed twice. Anyone ever had this kind of problem?
The contact request form is selfmade.
You need to distinct your two plugins from each other. I assume you have two times the same plugin on the same page. If you submit your form, both of the plugins respond to the request, because they both feel responsible for it.
If you could give one of the plugins a different name, it would just respond to its own form, and the other plugin would not respond to the other plugins form.
try to modify your plugin so you can configure it to only show the form.then you use two different CEs: one to show only the form, the second to show the form and to handle the submit.
Other possibility: while you are handling the form store the information about handling somewhere and avoid a second handling on the same call
I am creating a Google Form. I want to insert a count in the end(anywhere,not specific) of the form which will show the number of responses submit till date.This goes like updating the live count. I have tried using script editor for Google Form Add-ons option.But I am unable to view the results automatically or changes. It asks me to accept "Terms of Service" which I don't want to do right now because I am not sure about the way it may result.
There are various options available to view the form results/responses.But here I don't want to view the results later.They should get updated when we click the submit button on form.Please note..simultaneously many users may fill the form.
To implement this,I have thought of logic like whenever submit button gets clicked..the text in the form should get updated.
Please suggest how I can add the count or apply above logic of whenever submit operation is performed. Is it possible?? Any other suggestions are welcomed..Thanks in Advance!!!
I found another possible way of doing this..I received all the responses in Google Spreadsheet..which I later embedded in my site. Solves the purpose..And the embedded data gets updated automatically for the responses !! Cheers
I'm pretty new to Play Framework.
My problem is that when a user clicks on the register link, he will instantly see validation errors.
The problem is that the method that serves the form also validates the form. So when the user clicks on the register link, gets to the validation without any input and then gets validation errors.
One solution would be to have an extra method to only serve the register form. But this would require an extra form and an extra route.
Another solution would be to disable validation on empty forms.
Is this possible? If not is there an other way?
You are on the way to a good solution. Make a second method.
GET /register controllers.RegistrationController.showRegistration()
POST /register controllers.RegistrationController.register()
The first is to display the registration page with the form, the latter to handle the form submit.
A method should stick to do one thing: either to show a registration page or to handle a post. Generally it's not a good idea to write a single method with a lots of if-then-else flow control statements.
Play framework also supports REST principles: in a simplified way GET is to retrieve a resource (=an empty registration page here), POST is to submit data(=do the registration).
Have a good look at Play framework's examples, I think the computer-database is very simple and a good starting point for you.
I'm having the following problem, i created a folder (named 'forms') to storage the files of phpmailer, then i have to put the action in the form this way: action="forms/mail.php".
But when i tried the form it open a not found page e in the url it appears this: "perfilo/index.php/forms/mail.php", i tried to delete the part "index.php/" and execute the script and it looks like would work without it.
Can anyone tell me how to get rid of this "index.php/" part? Am i doing something wrong or what?
Thanks
You are on the wrong track.
Search for documentation on using Joomla! Mailer.
Some resources to get you started:
JFactory/getMailer
How To Send Email from Your Joomla Extension
You are on the wrong path.
In joomla you need to implement a contact form.You can implement it like following.
Joomla Provides you a default component com_contact Any of the files from com_contact\views\contact\tmpl\ or you can create new layout with your custom design.
And you can access the files in url via wwww.domain.com/index.php?option=com_contact&view=contact&layout=default or your custom layout.
then joomla itself providing some forms if you want to customize that you can do that too.
The action they set in the form to contact controller. and sending the mail.
I got your point of view you are trying to create custom design and set it as article .
If you want to follow your own method.
You can work like this.
the form action leave as empty.
and onclick you have to set the action via jquery and then submit
Hope this may solve your issues