This is a strange one and not ideal, but basically we have a Drupal site that has been using the core comments module to allow authenticated users to post and view comments for a node. We are now needing to extend this so that unauthenticated users can also post comments, but not view them. Authenticated users would only have access to view comments by other authenticated users. Only admin users would have access to view all comments.
Is there a way of doing this? The permissions do not seem to permit this flexibility (access comments is required to give a user the form, but shows all approved comments).
I've looked into using some Drupal hooks, but as far as I could see there is only the hook_comment function that occurs after the comments have been retrieved (perhaps there is a good way of making use of this, but my mind has gone blank).
Any suggestions? I appreciate hiding comments from certain users but allowing them to post them is probably not best practice; however, I need to work with what we've already got.
I can think of a way to solve this problem, but it's not the prettiest solution.
Create a custom module with your own permissions.
Overwrite the standard theme function that's used to render the comments. You should have the comment object available, so it should be fairly easy to see if the comments is from the anonymous user or a registered user, and can check which comments the user should be able to see.
Now there's a few problems in this, as comments can be threaded, so in theory, it is possible that a comment in a thread will be missing causing confusion and possible other bugs.
But like I said, this is a quick and dirty fix, with what you got.
Can't you use the comment moderation queue to achieve exactly this? Check your settings for the comment module (at admin/content/comment).
You can set in your theme template.php whether you want anonymous users to view comments simply by doing a check on whether a user is logged in, and not showing the comment if they're not.
eg:
function mytheme_preprocess_comment(&$vars, $hook) {
global $user;
if (!$user->uid) {
unset($vars);
}
}
Then in your comment.tpl.php, at the top:
if ( isset($content) ) :
To check whether the comment has been unset, so that you don't render a whole lot of empty divs.
There's undoubtedly better ways to do this which involve using a hook to avoid loading up the comments at all for anon users, but this code will do the job without much work.
Related
I'm writing a simple Facebook-like social app that needs to support posts, comments, and likes. Most of the Firestore designs I see keep comments as separate documents. As an experiment, coded the comments and likes as fields of the post document. Seemed to work really well, but now I'm wondering about whether a user updating another user's doc is a security issue? I read up on security rules, but don't understand the nuances. E.g., could I create a security rule that only allows users to create and modify their own comments in another user's post doc?
The benefit I see is that pulling down a single posts pulls down all the comments and likes, but suspect I'm missing something because I don't see this approach used in sample docs.
I'm wondering about whether a user updating another user's doc is a security issue?
If you don't want that to happen at all, then yes, it is a security concern.
could I create a security rule that only allows users to create and modify their own comments in another user's post doc?
Yes, it's possible.
I suggest reviewing the documentation on security rules to better learn how they work, especially the part about per user rules. If you have rules that aren't working the way you expect, please post a new question along with the rules and client code and explain what's happening.
I am working on dictionary-like web page and I want to implement adding/changing phrases only by few people (my client - which is some small organisation wants to be able to do this by himself). The page does not have any login/registration mechanism etc. (for regular users at least) so I do not want It to have any login button. I wondered if making admin model ( few admins made in seeds for example) and adding login button that is invisible - I thought of using CSS opacity for this one. Is this a good solution ? Is there any other good practice in these sitations? Please dont be afraid to post suggestions. Additionally this is a serious page (my first job as freelancer), so I wonder if my solution is... acceptable? Thanks in advance for any answers!
This quite a standard thing in the web. Most of the websites consists of two parts, customer facing part (sometimes called frontend) and admin panel (called backend). In your case you don't need any login to access frontend part, but you need one for backend part.
Creating hidden button is not needed at all. There simply should be no button at all. If you want to log in as an admin, you simply navigate to http://my-website-url.com/admin.
I wouldn't bother with roles et unless your client specified clearly that he needs them.
Even though this is simple I would still suggest adding a role to a user model. After all he may want to have some user functionality later on. The simplest way to do this would be to use devise and add a role enum column.
Check out the article below and look under the "Enum" section.
http://railsapps.github.io/rails-authorization.html
I have a Plone Site where anonymous users create a "Subscription" object for a conference.
Fact is: a malicious user can call this screen a lot of times and crash my site. I can use a captcha to avoid it, but I would like to use it only after "x" attempts of the same user, something like the SO approach when a user tries to post a lot. Is there a module that does this for me? Show a recaptcha after a user tries the same url too many times?
For a start content in not the solution to everything. In your case having a custom content type for handling subscriptions seems like an overkill. Always ask yourself if what you are doing is really content-ish. Does it need to be contained, navigable, searchable whatever else content can be? For a conference subscription definitely not.
In brief you could:
Create a form and save its data in lighter objects than full content or use sql.
Use Products.PloneFormGen, which also has captcha support.
Concerning the captcha if you go the manual way and create everything yourself, you could use cookies to "remember" visits. See How do you get and set cookies in Zope and Plone?
It's obvious that your system is subject for manipulations in form of mass-registrations in every way without further measures like a captcha or additional email validation after submission of the registration form. But this is independent of flow control, DDOS etc.
I am subscribed to a Drupal 5 site with the Advanced Forum module. When a user decides to delete her post, the post dissappears and the following posts are moved up.
So if #2 is deleted the existing #3 will become #2 and so forth. The problem with this is if people reference previous posts which are now incorrectly numbered. Consequently it can lead to much confusion or even make people angry because they feel a comment is not appropriate - which it isn't after all!
What we would like is that the deleted post is simply removed without renumbering the rest. There is no option for this in the settings, so I will most likely have to mod the files.
Do you know if there already exists a patch to accomplish this, or can you alternatively point to where I need to modify the code?
I am a experienced PHP developer, but Drupal is new to me.
Possible workaround would be to set status field in comment table to 0, instead of deleting the comment. THat way it would not appear in comment list and other cid's would not be changed. You could do this in a custom module with a hook but I am not sure what hook calls comment_delete, normally you would override hook_nodeapi
but comments if I remember correctly may be handled differently than nodes.
Look in the comment module under /modules and check out from what hook comment_delete is called and override that in a custom module, that way you would not have to hack any core code.
Good-luck
I'm looking for a commenting system with a specific feature, and I wondered if anyone could advise.
I want to be able to load different comment threads without reloading the entire page, via JavaScript callbacks. That means I need a commenting system that allows multiple comment threads to be associated with the same URL, with threads defined by custom IDs.
I've just found out this isn't possible with Disqus. Although Disqus does allow you to associate a unique ID of your choice with a thread, it also requires a unique URL for each comment thread.
Does anyone know a system that does offer the ability to associate multiple comment threads with the same URL, via unique IDs?
Not sure if it's possible with either IntenseDebate or Wordpress - or maybe I need to write a custom Wordpress plugin (the page itself will actually be within a Wordpress install).
You should have no problems creating you own custom comment page by 'hacking' comments.php.
By using jQuery and jQuery.load you can call a php page where you have code to retrieve custom comments.
But messing about comments.php is not that easy. Therefore this page might help you get an insight in comments.php
This answer doesn't solve you problem, but hopefully it'll give you some ideas.