Closed alipang closed 1 year ago
alipang
commented
6 years ago And suppose you want to build some sort of publishing flow; doesn't using a session let users still edit the resource even if the original assumptions have changed, since it is asynchronous? I'm planning a flow with the roles author - editor - publisher, where the legally responsible publisher puts a lock to editing once the text has been published.
BobRay
commented
6 years ago I tried to do it at the NP end when this issue first came up, but couldn't make it work. I can't remember why.
I think NP clears the session variable (I could be wrong). Either way, if you call the button snippet uncached, it should disappear for users who have lost their right to edit the page and they'd have to way to edit it.
alipang
commented
6 years ago Ok, I think I will dive into it, but it would be stupid if there were special thoughts behind the design.
I'm probably spending way too much work trying to build a cheap c10k solution instead of focusing on content. I'll probably never have more than 100 visitors per day anyway.
BobRay
commented
6 years ago Been there, done that. ;) Constructing things is always more fun that filling in the content.
FYI, NP fires calls the MODX processors for all resources it saves. That means both 'OnBeforeDocFormSave' and 'OnDocFormSave' will fire -- the latter only if the resource is successfully saved to the DB.
In a plugin attached to one or both of those events you could check the published status in the DB and compare it to the published status of the $resource. If it's being published, you could perform any needed tasks.
alipang
commented
6 years ago At the moment I just comment out
if (isset($_POST['np_doc_id'])) {
if (! isset($_SESSION['np_doc_to_edit']) ||
!in_array($_POST['np_doc_id'], explode(',', $_SESSION['np_doc_to_edit']))) {
return ($modx->lexicon('np_unauthorized_document'));
}
}and it works for me. Then I can pile up all documents linked, and then let a jquery function convert them into post forms with exactly the same look as before. Before I go into production I'll have to simulate a forge and see if security actually was compromized.
My goal is to use MODX only for stuff that creates and updates. The rest shouldn't deal with php at all. I have come a long way serving user specific data with cookies through nginx and lua. I can run the Apache stress tester
ab -c 1000 -n 1000 https://fakenews.com/
with 100% success against a vps. c10k should be within reach.
Having static cache and inline css block, I have an inotify script watching the inmemory cache filesystem to perform expensive purgecss on unnecessary bootstrap selectors, and then prezip result with best compression to ease the burden on nginx.
Just to tell what I'm doing. :-)
I've been playing with this lovely extra for a while. As I understand it one must use NpEditThisButton to check permissions and store the result in a session. That means the page can never be cached. I use StatCache and a bit of javascript to create all my buttons based on cookie settings, but because of this chaining it doesn't work. Wouldn't it be possible to allow forged id:s and do all the checks in the NP snippet instead?