The following question has been asked in the #typo3-cms Slack channel:
A customer of us wants to use the workspaces feature. Thats working fine. But he cannot test his forms because workspaces are not supporting POST requests. (POST requests are incompatible with keyword preview), does anyone have an idea how to make plugins which are working with POST method testable in workspaces or any other workaround?
Explanation of the scenario and behavior
The check to prevent HTTP POST requests from being executed points back to TYPO3 CMS 4.0 in 2006 when the workspaces feature was introduced into TYPO3 (see accordant Git revision from back then).
Since the workspaces preview link initializes a backend user in an untrusted application context, the check has been used to prevent administration actions from being executed - today one would do that differently and use XSRF protection tokens for that.
The handling of these workspace preview links also was part of a security issue in sprint 2016 with the aim to remove possible security side effects in that regard further (see TYPO3-CORE-SA-2016-012 for details).
There are several possibilities to preview workspace changes:
Preview link from workspace module
In the top-bar of the workspace module in the TYPO3 backend, the preview link can be send to other parties that don't have credentials to access the TYPO3 backend. This mechanism basically leads to the problems with HTTP POST as mentioned above.
This behavior is implemented in the class PreviewHook in either the system extension version (up to and including TYPO3 CMS 7) or workspaces (since and including TYPO3 CMS 8). There's currently no easy way to by-pass the HTTP POST check, except granting possible previewers real and limited access to the TYPO3 backend with a valid user account.
Preview contents directly from page module
Editors that have access to the TYPO3 backend should use the regular preview mechanism of TYPO3 in the page module - this is the same for live versions and workspace changes. The only difference if working in a workspace is, that the website frontend shows additional workspace related widgets to compare changes.
Using this mechanism, the HTTP POST problems mentioned in the beginning of this answer don't occur and e.g. forms can be used without any limitations.
If the previous method of creating the workspace preview link has been used with the same browser already, a cookie ADMCMD_prev has been created which still triggers the preview link behavior and still leads to problems with HTTP POST - even if the regular preview mechanism is used as described in this section. To circumvent that, this cookie has to be cleared manually in the browser.
Related
I have a multi-tenant wagtail set up and we are currently working on getting up to date. We've just recently upgraded to v2.15 which introduced audit logging for all models instead of just page models.
AFAICT from looking through the wagtail code, the changes for a page model are only visible to superusers or admins with can_add_subpage or can_edit permissions which seems to effectively support multi-tenancy.
However, for all the other models there is no limitation put into effect. This means that an admin for Site A is seeing when changes are made to Site B or anytime a user is added or edited. We are using email addresses as usernames so this presents a rather major privacy issue.
This method hasn't been updated in any newer version, AFAICT, so I don't believe that just upgrading will fix this.
Does anyone have any ideas on either any wagtail settings we can change to keep Site and user changes invisible to non superusers or how we might localize BaseLogEntryManager.viewable_by_user so we can override the default wagtail implementation to our needs?
We have previously done something somewhat similar with the search available to admins by creating our own src/app/templates/wagtailadmin/pages/search.html and creating our own local version of https://github.com/wagtail/wagtail/blob/stable/2.13.x/wagtail/admin/views/pages/search.py
I had thought about trying to do something similar here however that doesn't seem like a good thing to do given how different those circumstances are and I think it was only possible using the register_admin_search_area hook.
I run a fairly large multitenanted Wagtail site. I have made public gist of the code we use in Wagtail 2.16 to restrict reports.
One of the main things we had to patch is the filters on the reports page. We do not want users on one site to even know there are other users in the system. This is implemented in the site_specific_get_users_for_filter method.
Although our non-page models all have site_ids, it was not possible to filter ModelLogEntries in site, so we settled for hiding that report from everyone except superusers.
I want to make a Firefox extension that can store and retrieve data from a database. However I've only been finding solutions that would work locally for each user. I'd like every user to have access to the same database.
Is that possible?
It is possible to access remote SQL databases like MySQL and PostgreSQL with node.js modules, but it is more sensible to create REST API front ends to your databases and call them from the extension. Exposing the SQL calls directly in your web extension is not a good idea. It is basically bad security practice and will expose your database to hackers.
You will also need your addon to pass Mozilla's approval process if you are going to distribute publicly and I doubt the reviewers will be pleased to see raw SQL calls in your extension's code.
The more sensible way is to update the database is through a REST API front end.
A simple example on how to create a REST API for a Postgres database can be found at Node.js, Express.js, and PostgreSQL: CRUD REST API example - LogRocket Blog and this playlist show how to create a REST interface in a Firefox extension - Build a Firefox Extension from Scratch that integrates with Node.js - DEV Community
The above database example is quite simple. For real world use you will need a more advanced REST framework for your API which sanitizes the data before inserting it into the databasse. You have more reading to do here.
However if you need to make SQL calls directly from your extension which I still don't advise, you can include some packages from node.js in your web extension, and use browserify which extracts and packages the modules needed into your extension. Your addons though had better be for private or in-house use, not for public distribution.
Some nodejs modules for database access are - https://github.com/mysqljs/mysql, https://node-postgres.com/ and https://www.npmjs.com/package/pg.
Just a little advice. Feel free to ignore it if you have nothing to do with it. Your question sounds quiet generic. You should learn and doing it by yourself first and only ask here when there are specific issues you're stuck with.
By "locally", I think you mean via Web SQL or IndexedDB. They're called local database and their behaviors are totally different from what you're looking for.
I should haven't need to tell you to do this. Just in case. Of course first thing first you need to know how website is working for both front end and back end, not just local stuff, especially how they're communicating between each other. So you should know about HTTP request, Javascript, and AJAX.
What has it to do with Firefox extension?. Not just Firefox, browser extension is just another type of web page that overlaying the opened web page in all kind of browser. In Firefox the opened page is called activeTabs. The only difference from regular web page is you need to signup your account first, manifest.json file as your project root file, and it compile from command line with web-ext tools. In case if you're facing Cross-origin resource sharing (CORS) restriction, follow instructions HERE and allow the URL on server side.
I know this might be a broad question but i recently finished developing a laravel 5.6 app. I deployed it to a free hosting service (000webhosting) because i wanted the client to be able to preview it remotely from where they are without having to sign up for domains and hosting accounts and all that jazz.
I uploaded it by zipping my project folder and putting it in the directory of the cpanel. I put all the public files (including .htaccess) into the public_html folder and put the rest of the project into the parent directory.
Long story short, everything works fine except for ajax. Other non-ajax CRUD is functional but nothing ajax related works. It all produces 404 errors. The other non-ajax functionalities are in the same controller as the ajax methods! so i know the project is talking to itself. I have jquery library linked to on the hosted google libraries page. Is there some sort of convention that i'm missing that is limiting this functionality? do some web servers block ajax requests? It's working perfectly in my localhost wamp environment. What could i possibly look into to resolve this ajax discrepancy? If it comes to it, i'll pay for hosting, but i just want to make sure this isn't a consistent topic with many host providers where ajax needs to be specially configured or something.
github.com/maximus1127/drive ....this is the github repo. the file in question is drive/resources/views/auditor_pages/application_review.blade.php.
To login the browser, go to https://makemedrive.000webhostapp.com/ login with "aa#aa.com" pw "password". Click the instructors tab on the left, then instructor application, then view details. The "save notes", "background check/received" buttons are all the ajax features of this page and none of them work. They all produce 404 errors. Please help!
Thanks in advance!
I have a Ubuntu Nginx server (using laravel forge to set it up)
I am now getting 403 errors when posting form data including which I was not getting previously.
The form is posted by a javascript button $('#my-form').submit(); if this is relevant.
Other forms are working fine as long as I remove the tags (used for youtube embedding)
Open up developer console and see more details about the POST request in network tab or console itself. 4XX is a group for client errors, not server or runtime, so expect the issue to be in your implementation. Maybe you use some package that is supposed to "automagically" authenticate or check user permissions when accepting this specific request, and so it fails because you are not passing some header or custom field? Hard to tell without more details.
Add relevant code (at very least your form html) if you want more specific tips.
In this case - I also had a wordpress blog installed with a wordfence plugin operating. The wordfence configuration was enforcing security settings which were preventing any website forms from posting and tags
I am working with a Kentico site and I have a problem with page output caching.
We have a custom webpart which loads the records from a Bizform's record data and displays those data in a page. The problem is that after giving it several tries, we couldn't figure out the problem why the webpart couldn't get the latest data from the bizfrom data and we suspect it was because of output caching.
We tried to:
Disable webpart output caching in webpart configuration
Disable page output caching in CMSDesk > General > Output Caching
Disable site output caching in Settings > System > Performance
Disable IIS cache for both User-mode and Kernel cache
Create cache dependencies for cms.form|byid| touched key (which I found is not supported in current kentico version)
And going to try create event handler to add touched key on bizform insert event
We encounter a similar problem with Shopping Cart Mini Preview Webpart with Ecommerce.CurrentContext.CurrentShoppingCart which returns different result for service handler (.ashx - gets updated) and for webpart (.ascx - does not get updated)
If you ever experienced these problems, please help.
The last place where it could be cached is the content cache. It can be set either in Settings->System->Performance or at the web part level under System settings section.
Only web parts that utilize the content caching have this section available. (E.g. some repeaters and data source web parts.) It might be a little bit confusing because then there are two sections (System settings and Performance) where you can influence caching. However the Performance section is used to set up the Partial output cache.
Anyway, you should definitely try to check Cache debug to see what is actually cached.
Additional resources:
Deep dive – Kentico CMS Caching
New in 5.5: Caching API changes
Deep dive: Cache dependencies
Kentico caching and cache dependencies explained
ASP.NET Caching Dependencies
I have faced issue similar to second one (with Shopping Cart Mini Preview Webpart) recently. Only web service (.asmx) was used instead of HTTP handler. In my case issue was solved by setting the EnableSession property of WebMethod attribute to true for all the CRUD webservice methods.
[System.Web.Services.WebMethod(EnableSession = true)]
So I think the matter is that handler should be able to access current Session.
In case of HTTP handler you could try to add IRequiresSessionState on the handler declaration to attach it with the session.
I am also using Kentico 8, I see that your Kentico version is older. That might also have impact but I am not sure about that.