Wizard based feature install in sharepoint 2007? - moss

I have a feature that gets installed using a WSP package, when the feature is activated, I would like the following to happen:
The feature will contain a list definition.
When the feature gets activated by an end user (the user physically clicks the feature activation button in site features admin) - I would like a modal dialog to appear then ask the user to provide some additional details.
3.1 The additional details will be supplying a certain number of names. For example Mary, John, Peter. Form logistics I can handle.
Once the form is complete that information needs to somehow get back to the feature reciever, so that I can then take the base list definition, and use it as a template to create list instances for all the names supplied - so if user had supplied Mary and Peter, then 2 list instances will be created when this feature is activated.
Is any of this possible with MOSS 2007? Thank you

There's no way to "hijack" the feature activation process in sharepoint. The (crude) solution would be to create a feature that deploys an application page (aka layouts page) and the list template/definition. On the page there should be a bunch of textboxes and a submit button.
The feature should have a receiver attached to it that after activation redirects the user to your page using HttpContext.Current. After entering all relevant data in the page ( Mary, John, Peter, etc.) just create the lists based on the list template deployed earlier from code using something like:
SPListTemplate listTemplate = web.ListTemplates["YOURLISTTEMPLATENAME"];
web.Lists.Add(listName, description, listTemplate);
There is 1 caveat though, IMHO a dealbreaker even. this won't work when the feature is activated using stsadm, seeing as there is no HttpContext!!!

Related

Security warning from extension_builder: action is publicly accessible

I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.

Needing to have a form in every instance of a content type that can be submitted once per node - Drupal 7

So here's the situation and I cannot figure out how to accomplish it.
I have a content type called "Alert". Each instance of this content type needs to have a webform (really just a submit button with hidden fields), that users click to acknowledge they have read and understand the alert. Ideally once submitted, the form should be replaced with a message along the lines of "You have marked this alert as read."
I do have a webform created (displaying as a block to be able to place within the variant page set up for the Alert type) and can get it to appear on each instance, but users can submit multiple times on each alert (submissions are set to unlimited as if i set it to 1 submission per user, the form does not render after the first submission on any alert). Additionally, once they click on one instance of the form, every additional instance will result in a message stating they have already submitted the form.
So I really have two issues. First, and most importanlty, allow a single submission per node (without the "already submitted" notice). Second, not required but would be nice, once it has been submitted for a specific node, the form no longer renders on that node for that particular user. Anyone have any ideas on the best way to accomplish these two aspects?
I'm running on Drupal 7.56, using the AT_Panels_Everywhere theme, Webform module Version: 7.x-4.15.
In drupal 7, with webform 7.x-4.0, you can enable webforms within a content type. To do so:
Go to Structure > Content Types
[Respective content type] > Edit
In the bottom left section, find the Webforms Tab and choose Enable webforms for this content type.
Based on your use case, I'd recommend enabling that and installing the node clone module. Then you can make one alert node, setup the webform, limited to one submission per user and allow content managers to clone content. That node can serve as a template.

How to show confirm box before submit form in moodle on course edit page?

I am using moodle 2.8
I wants to confirm user before edit course.
Basically I have a category name ex. 'Live' category
So when user move course into 'Live' category then want to show confirm box and if he click on yes then course will be update otherwise redirect to course edit page.
This will require changes to the Moodle core code (not usually a great idea, for ongoing maintenance) and would probably be a bit fiddly to implement - you would need to store all the submitted details somewhere in the confirmation form, then re-send them along with the confirmation.
It might be easier to make a small core code change to prevent the user from ever moving the course directly into the 'live' category (adjust the 'validation' function in the form submission), then have a separate admin page (within a local plugin, or maybe a block), that listed all the non-live courses and gave the option of moving them into the 'live' category (with the appropriate warnings / confirm action).

Custom blocks to display for students in moodle

I have created a custom block in moodle. The block displays perfectly on admin and manager account. But it doesnt display on the student account.
I have created db/access.php file. I have also created tests/generator_test.php (copied as same from online_user block by changing the key names ). The block is not visible in site admistrator/users/permission/define roles/ student and then clicking on edit. (Block: online users allow). The same is not showing for my block.
Some one please help me with this. I want to display that block on students dashboard.
If you have already installed the block then any changes to db/access.php won't apply until the version number is bumped.
So just increase the version number in blocks/yourblock/version.php then go to site admin -> notifications to update it.
If that doesn't work then show the contents of access.php.

How to display drupal custom form if user clicks adwords advertisments?

My client want to published some adwords advertisement on Google. The website only purpose is presenting info about it's company and it's not an e-commerce site. Since adwords final result depend on conversion we decided to add simple form including following fields.
1) Name:
2) Email Address:
3) Occupation:
However, we need to display this form if only a person clicks on the 10% discount adword advertisement via Search or Display network. We think by user submitting this form user may contact us is definite.
My Questions are:
1) Is there a way to display this discount form only if user click the Google add? if so could you pls clarify
2) Is there a module for Drupal 7 to create custom form fields?
3) Otherwise is there a different method to achieve what I explained above?
The Referer HTTP header field might tell you the URL of the page from which the user might have come to your site.
The first might means, there is no quarantee that it is present.
The second might means, if it is present, there is no quarantee that it is accurate.
The Fields module can be used to create custom form fields. It is part of the Drupal 7 core. It can be used to attach fields to bundles. A bundle is a set of entities. EXamples are
The nodes of a node type are a bundle
All users are a bundle
The terms of a vocabulary are a bundle
The Fields module provides an API to define new entity types and groups them into bundles.
1 - You can create a unique Webform and exclude it from search engines in your robots.txt file. This will allow it to be accessed directly via the URL, but it won't be picked up by any search engine, and therefor can't be found by anonymous users. You'll have to add it in the robots file as such:
User-agent: *Disallow: /your-page-path/
You may also have to exclude it from your site's search (if you have it).
2 - If you haven't already tried the Webform module, it's a great module for creating custom forms and gathering submissions right within the Drupal site.