i am working on a online forum like where anybody whether registered or un-registered user can comment on a particular topic/article etc...
so, when the user (registered/un-registered) leave their comments we have a process for approving by admin which is behind the scene....
so my question is, when the user leave their comments then i want to hold on to their comments till their comments approved by admin or till the session is alive
the same user can leave one comment or many comments to a topic/article...
on the same page i will have different comments leave by other users which are approved by admin...
i would like to know what is the best way to handle?
example:
[some topic here.........................
...................................................]
*comments:*
abc ............................... [pendign approval] //this data will be coming from session
xxxxxxxxxxxxxx......................[approved] //all the approved coming from db
aaaaaaaaaaaaaaaaaa..................[approved]
............
..................
.................
I don't think you should depend session for this. You should probably store the comment status with a different status in the table.
Ex : When a comment is newly posted ,save it to the database with status as 0 / "Pending"
Wen Admin approves, change it to 1/"Approved"
If admin rejects , change it to -1/ "rejected" / delete the record if you dont want to store it any more
When the page loads (for all users/public), get the records filtered by status
SELECT ID,COMMENT FROM COMMENTS WHERE STATUS=1 AND POST_ID=#postId
When the page loads (for all a user who posted the comment), get the records filtered by status ( include pending also now)
SELECT ID,COMMENT FROM COMMENTS WHERE
((STATUS IN =1)
OR (STATUS =0 AND CREATED_BY=#currentUserId))
AND POST_ID=#postId
You will need to allocate anonymous users an account automatically (similar to the registered users ones). When a user registers you can upgrade their account. In this way the same process can be used to display comments from both.
Related
I have am looking at the way to prevent multiple users opening same post and editing at the same time. For example I open it in one tab and start editing, when someone else wants to open in another tab it shouldnt be possible to edit it.Only one person at the time.
With Wordpress, 2 users cannot edit the same post at the same time. Does anyone know WordPress how does it ? I don't know myself.
I am looking for the solution , thats why i dont know what to try exactly.
If you want to know whether a post (page, product, any custom post type) is currently being edited, use wp_check_post_lock( $post_id ). If a user is currently editing the post, it returns the user's ID. Otherwise it returns false, and you can proceed to edit it.
If you want to mark a post as being edited, use wp_set_post_lock( $post_id ). Calling this will silently override any existing lock, so check first. You should call this function every two minutes, or more often, while editing is in progress, because locks expire after 150 seconds.
This is all implemented via a wp_postmeta entry with meta_key '_edit_lock' and meta_value 'timestamp:userid'. The timestamp is the time the lock was set. For example, '1667470754:123' means userid 123 locked the post at time Thu Nov 03 2022 10:19:14Z. But avoid hitting the wp_postmeta table directly for this. The value may be cached.
You can use the check_post_lock_window filter to alter the lock expiration time if need be.
The _admin_notice_post_locked() function puts up a notice about a post being locked. But this function is designed for use within WordPress core admin pages, so it may not work for you.
I have an app where I want visitors to be able to write down some text.
They are the only ones that are allowed to see their own entries.
In order to allow people to create an entry I have set the security of the content type: crud is permitted for those who have viewing rights.
In the query designer I have basically just the list of the content type. So, of course any visitor that can see the page, sees all entries.
How can I limit the results so the visitor only sees her/his own entries? If I add the ownerfilter in the query designer, the results come up empty.
So basically what you should do is give these permissions on the type:
Registered users (or those who may add) should have c permission (create). They must be logged in - so don't use "everybody" - otherwise you won't know who added it.
Owners (those who created the record) should have edit permission (I wouldn't give them delete)
In the visual query, you should then use the owner-permissions. As a host-user you can only test it, if you also made some records.
OK? otherwise just add more infos.
Or just add a field that stores the username. When you show the entries, only show the ones where the current username matches the username field :)
In an MVC application I have a two pages process. On the first page we gather information that will allow us to identify which database record to update. On the second page we gather new values used to update this record. In order for this to work, we need a way to persists information between the two pages, including some record id.
I though of two way to do this and both have some problem.
Store the information in the Session object.
This works as long as the user does not open a second browser window or tab. If he does there is a risk that he'll apply the modifications to the wrong record. Suppose he opens tab 1 and complete the first step. Record id 1 is stored in the Session object. The user then open tab 2 and complete the first step. Record id 2 is then stored in the Session object overwriting record id 1. The user then come back to the first tab and complete the second step thinking he is editing record 1, but in fact he will be editing record 2.
Store the information in an hidden field on the page.
This would solve the problem solution 1 has, but it would be trivial for a ill-intentioned user to change the record id to overwrite any record.
While typing this question I just though of a third solution. That is an hybrid of theses two, but I'm not sure it's completely safe. We could store a random id in an hidden field on the page and use this to prefix the key we use to access data in the session object. I think this would work. Could this be exploited as solution 2 could?
Any other good way to securely store data "per tab" instead of "per session"?
Considering way 2 you may check security server side. If a user does not have modification rights on a specific record then server must not save it. Otherwise he/she is modifying a record that has modifications rights on it and does not matter if he/she is doing it by standard UI or hacking under it.
I think you are mixing up two things - authorization and passing data.
If user is authorized to do stuff with "another record", it's not important if he "tempers the hidden", because he is authorized to change another record as well. Nobody is going to do that intentionally. Means - you just need to check if user is authorized to do stuff in every post from the user i.e. in each controller method (and this is normal practice to always validate all user input server-side).
I would suggest you go with "hidden field".
If you want to separate info in different tabs you should use sessionStorage that differs for each open browser tab.
You can set it like this:
sessionStorage.setItem("perTabValue", "true");
Then you can get your value:
var x = sessionStorage.getItem("perTabValue");
if(x === "yourValue"){
//do anithing you want
}
I am building a website users have to pay for different functions. For example the user have payed for "packet 1" for the current month and it includes "short messages". How can I check, if a user is allowed to send sms? Updating the user/role relations every night or is there anything more dynamic?
You could add custom voter, where you can check if a user is allowed to use certain service. See example here:
http://symfony.com/doc/current/cookbook/security/voters.html
You can create a table in a database which has a foreign key to a table of which contains different packages, a foreign key to your user table and finally a column which indicates the expire date of the package.
If the package is not found for that user and for that expire date then the user is not allowed to send sms.
You can use some other storage procedures but using a database makes most sense.
Basically: You don't want to update anything, you simply want to store certain information like the expire date (and maybe the starting date if you want to change the expire duration) and compare to that selected value.
Wondering if anyone knows how to create a view that only shows the activity of groups, where the current logged in user, is either the owner OR a member.
thanks :)
You can in views add an argument, and select the logged in user. You can use that to query whatever groups you are talking about.