I'm writing a simple Facebook-like social app that needs to support posts, comments, and likes. Most of the Firestore designs I see keep comments as separate documents. As an experiment, coded the comments and likes as fields of the post document. Seemed to work really well, but now I'm wondering about whether a user updating another user's doc is a security issue? I read up on security rules, but don't understand the nuances. E.g., could I create a security rule that only allows users to create and modify their own comments in another user's post doc?
The benefit I see is that pulling down a single posts pulls down all the comments and likes, but suspect I'm missing something because I don't see this approach used in sample docs.
I'm wondering about whether a user updating another user's doc is a security issue?
If you don't want that to happen at all, then yes, it is a security concern.
could I create a security rule that only allows users to create and modify their own comments in another user's post doc?
Yes, it's possible.
I suggest reviewing the documentation on security rules to better learn how they work, especially the part about per user rules. If you have rules that aren't working the way you expect, please post a new question along with the rules and client code and explain what's happening.
Related
So I have a local website that I am developing and I was wondering if there is a way to create a blog functionality without creating a database and by using HTML5/CSS alone.
From searches around it doesnt seem possible, so maybe if I could embed the blog functionality from somewhere? i.e a blogging service that would allow my users to use my website but they are posting to a database somewhere else?
If I could do that, could you give me an example and what would be the method on doing it?
Thnanks
I actually haven't tried this yet, but you could have a look at http://developer.wordpress.com/, particularly in the API section. For example, if you look at the GET /sites/$site/posts/ API, the doc summary says:
Get a list of matching posts.
So one may use a query matching the pattern:
https://public-api.wordpress.com/rest/v1.1/sites/en.blog.wordpress.com/posts/?number=2
To obtain, in response, quoting the doc page, three parameters:
found (int), the total number of posts found that match the request
posts (array), an array of post objects.
meta (object), meta data
So you may create a free and simple blog on wordpress.com and access its post via the above mentioned APIs. Therefore, you won't require any database on your local site.
Still, some simple PHP, or maybe Javascript is required, but I really can't imagine how one could avoid preprocessing in any non static website, as a blog is. For example, you may use simple GET requests to use the APIs (see this doc as an example of how to do it).
This is my first time building a site with Drupal (7). I have plenty experience with LAMP, HTML/CSS and javascript, but I want to make sure I am doing things the 'Drupal way' before I start hacking together a custom solution unnecessarily. I've searched forums and modules, but have come up empty.
The site I am building will have different tiers of users: students, teachers, and parents. The difference between these users is:
The information collected during registration, and
The pages the user's have access to.
I think at least part of the solution lies with creating roles for each type of user, but it seems Drupal only has one registration page for all users. How would I create a different registration form for each type of user? What is the 'usual' way of assigning roles to users automatically?
I know this is late the game here but I thought I might refer people to the "Rules" module... Instead of thinking about this from the "user-specific" registration form perspective, think of it instead from the perspective that you still have only 1 form but with additional / optional inputs, whereby subsequent actions (rules) are then enacted upon depending on the values of said additional / optional fields.
You might also check this out, too:
how do i make diffrent registration form in drupal?
I'm just updating my answer as I see it didn't apply for D7.
I've just begun developing a D7 site with a similar request.
There seems to be a module which should fit perfectly, although I still have to try it:
http://drupal.org/project/profile2
Good luck with it.
I have a Plone Site where anonymous users create a "Subscription" object for a conference.
Fact is: a malicious user can call this screen a lot of times and crash my site. I can use a captcha to avoid it, but I would like to use it only after "x" attempts of the same user, something like the SO approach when a user tries to post a lot. Is there a module that does this for me? Show a recaptcha after a user tries the same url too many times?
For a start content in not the solution to everything. In your case having a custom content type for handling subscriptions seems like an overkill. Always ask yourself if what you are doing is really content-ish. Does it need to be contained, navigable, searchable whatever else content can be? For a conference subscription definitely not.
In brief you could:
Create a form and save its data in lighter objects than full content or use sql.
Use Products.PloneFormGen, which also has captcha support.
Concerning the captcha if you go the manual way and create everything yourself, you could use cookies to "remember" visits. See How do you get and set cookies in Zope and Plone?
It's obvious that your system is subject for manipulations in form of mass-registrations in every way without further measures like a captcha or additional email validation after submission of the registration form. But this is independent of flow control, DDOS etc.
This is a strange one and not ideal, but basically we have a Drupal site that has been using the core comments module to allow authenticated users to post and view comments for a node. We are now needing to extend this so that unauthenticated users can also post comments, but not view them. Authenticated users would only have access to view comments by other authenticated users. Only admin users would have access to view all comments.
Is there a way of doing this? The permissions do not seem to permit this flexibility (access comments is required to give a user the form, but shows all approved comments).
I've looked into using some Drupal hooks, but as far as I could see there is only the hook_comment function that occurs after the comments have been retrieved (perhaps there is a good way of making use of this, but my mind has gone blank).
Any suggestions? I appreciate hiding comments from certain users but allowing them to post them is probably not best practice; however, I need to work with what we've already got.
I can think of a way to solve this problem, but it's not the prettiest solution.
Create a custom module with your own permissions.
Overwrite the standard theme function that's used to render the comments. You should have the comment object available, so it should be fairly easy to see if the comments is from the anonymous user or a registered user, and can check which comments the user should be able to see.
Now there's a few problems in this, as comments can be threaded, so in theory, it is possible that a comment in a thread will be missing causing confusion and possible other bugs.
But like I said, this is a quick and dirty fix, with what you got.
Can't you use the comment moderation queue to achieve exactly this? Check your settings for the comment module (at admin/content/comment).
You can set in your theme template.php whether you want anonymous users to view comments simply by doing a check on whether a user is logged in, and not showing the comment if they're not.
eg:
function mytheme_preprocess_comment(&$vars, $hook) {
global $user;
if (!$user->uid) {
unset($vars);
}
}
Then in your comment.tpl.php, at the top:
if ( isset($content) ) :
To check whether the comment has been unset, so that you don't render a whole lot of empty divs.
There's undoubtedly better ways to do this which involve using a hook to avoid loading up the comments at all for anon users, but this code will do the job without much work.
I know I can set up a role to allow user's to only edit their own pages, then go mark the appropriate pages to be authored by the appropriate user. But then I run into multiple users per page problems.
Is there any way that you can explicitly only allow a user to edit certain (perhaps multiple) pages, while accounting for overlap in the case that more than one user may be allowed to edit the same page?
Thank you
This would be fairly complex to do programmatically, but a fairly easy solution is to create a vocabulary to apply to the pages and then use the taxonomy access control module: http://drupal.org/project/taxonomy_access to set the permissions based on terms.
I answered a similar question a few months ago, with an overview of implementing a few different access scenarios:
How do I give a specific user editing rights to a specific node?
If you just need a module that set the access permissions of a user to a node of a specific content type, then use http://drupal.org/project/content_access; if the content type is a book, then you can also try http://drupal.org/project/book_access.
Remember that installing different modules for access control should be avoided, as they tend to conflict each with the other.
If you have patience, then you can create your own custom module, and implement hook_node_access_records() and hook_node_grants() as suggested by Jeremy.
try http://drupal.org/project/coherent_access
or http://drupal.org/project/content_access
this ish is crazy!#!!!#!#!
This is also possible to do programatically using hook_nod_access_records() and hook_node_grants().
With hook node_access_record create a relm with the UIDs of the users you wish to allow. and in hook grants create a grant with the users uid in the same relm. It is not that scary and very flexable.