I'm using TinyAuth CakePHP plugin to manage permissions on my website.
They also have a plugin to manage the ACL (access control list) using a Database with CakePHP 3.7+, but the plugin isn't working with CakePHP 4.0
I'm currently writing custom adapters to manage the authorizations with the Database, like suggested here.
My main problem is : I don't know where should I write my new adapters ?
Currently, they're in the TinyAuth vendor folder and I import them in app_local.php like this :
'TinyAuth' => [
'multiRole' => true,
'aclAdapter' => TinyAuth\Auth\AclAdapter\DbAclAdapter::class,
],
And this is working.
I didn't manage to make them work in my project folder, cause I cannot import the class (???)
Is it a safe / good way to do it ? Is it better for me to create my own plugin, or to write my php class elsewhere and import it ? Is it safe to import files in CakePHP 4 app_local.php ?
I'm really new to PSR-4 and CakePHP framework standards, so sorry if my question is dumb, but I really want to make things correctly...
Thank you by advance
You should never put stuff in the vendor folder, unless you're debugging, or you're facing some very, very weird edge case that absolutely cannot be solved in any other way, which however should be extremely rare. You'll loose your changes when the dependency is being updated.
If you want to learn about PSR-4, there's endless resources for that, start for example at the official website: https://www.php-fig.org/psr/psr-4/
All that being said, a quick example for a default CakePHP 4.x application based on the official application template:
Filepath: src/TinyAuth/Auth/AclAdapter/DbAclAdapter.php
Namespace: App\TinyAuth\Auth\AclAdapter
Classname: DbAclAdapter
Usage: 'aclAdapter' => \App\TinyAuth\Auth\AclAdapter\DbAclAdapter::class,
Whether you use the fully qualified name when referencing your class (leading backslash required), or using use statements to import the name, really doesn't matter from a technical point of view, it will work either way in any PHP file.
Whether you put your custom code directly in your app, or in a plugin or a regular library, really depends on how you plan to use it. If you want to reuse it, or make it public, then you'd probably want to to put it in a plugin/library.
Related
I've successfully implemented django-ckeditor with Django REST Framework and React, but I'm pretty sure that the way I've done it is not secure.
I've created an art blog, where each art piece has a rich-text description. Here's a basic example of one of my models with a rich-text field:
from ckeditor.fields import RichTextField
class Artist(models.Model):
biography = RichTextField(blank=True, null=False)
...
So, if saved his biography as "He was a nice guy!", then DRF serializes that as:
<p>He was a <em><strong>nice guy!</strong></em></p>
In my React app, I render it with:
<div dangerouslySetInnerHTML={{__html: artist.biography}} />
But, as the name implies, the React documentation says that this is generally risky.
This is a personal blog, so I'm not worried about other users injecting code into posts. However, I'm sure that someday I'll want to provide a rich-text editor for my users.
Is there a way to implement CKEditor with Django rest framework that doesn't require me to use dangerouslySetInnerHTML? If not, how can I safely implement a rich-text editor, and still use it with DRF?
UPDATE
I've been doing a bit more research, and I've discovered something from Mozilla called Bleach. They describe it this way:
Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes.
They go on to say:
Bleach is intended for sanitizing text from untrusted sources. If you find yourself jumping through hoops to allow your site administrators to do lots of things, you're probably outside the use cases. Either trust those users, or don't.
So, in this case, I don't think I need it. Perhaps I'll use it in future projects though.
That still doesn't help me avoid using dangerouslySetInnerHTML, but this is the most practical solution that I can think of.
Whenever i create a contact form in my Joomla! 3.3.6, some script appears in the the page's HTML code that contains many words Joomla in it. I'd like to change those Joomla words and replace them with another words (i.e. Foo) for some security issue. I'd like to know whether or not i'm able to do so and how.
That script is:
<script>(function(){var strings={"JLIB_FORM_FIELD_INVALID":"\u0641\u06cc\u0644\u062f \u0646\u0627\u0645\u0639\u062a\u0628\u0631: "};if(typeof Joomla=='undefined'){Joomla={};Joomla.JText=strings;}
else{Joomla.JText.load(strings);}})();</script>
I have no idea whether a plugin or an extension creates it or not.
Thank you
Regards
This script seems to be translating some text required for the form to use in its javascript, eg validation messages. It does this using a javascript version of JText, which is part of core Joomla. There is some info on how that works here. Weirdly, there seems to be little information in the official Joomla documentation about it.
The main JText function it is calling appears here: media/system/js/core.js
I'm sure it would be possible to write a plug-in to remove this script before the page is rendered and then to translate any untranslated text with your own scripts. However, I'm not sure I see any security benefit in doing this so it seems a waste of time.
Ultimately, someone sniffing a site for what it is built in is far more likely to see if core files exist by going direct to places like media/system/js/core.js, rather than to scan the code for the word "Joomla" - which would trigger a lot of false-positives (any site which just mentions Joomla) and negatives (any page which doesn't have a form on it). It also does not reveal the version of Joomla, which is the info a hacker would more likely be after.
I think you have to search for the script (i.e via Notepad++) in the whole directory. It must be a plugin for the contact form that has some inline script in it.
also do you use any special third party plugin or so? that might be the source of it.
PS: also i had some similar experience, i don't know exactly how i got rid of those words, but like you, i wanted to do that to hide the fact that i'm using joomla for security.
Its actually Joomla who add this, from the file: Joomlainstall/libraries/joomla/document/html/renderer/head.php
And load it globaly from:
Joomlainstall/libraries/cms/html/formbehavior.php
The developer ad that code by using the function, JText, for an example:
JText::_( 'COM_CONTACT_EMAIL_FORM' )
In my case it was the plugin ContactUs Form who add the javascript. If JText is not used, it is not loaded. If I disabled the plugin, the javascript was then not loaded. If you have that plugin enabled, my be try an other contact form?
For security reson it is bad programming by the developer off Joomla, for sure.
We are trying to implement in page editing for our cake app. We would like to use create.js for the frontend and createphp to handle the connection between create.js and cakephp. I have been doing a lot of research on RDFa and I am generally baffled by how all this links together.
What I have:
Editable interface
Endpoints via actions in cakephp
What I need:
A way to convert the data sent by create.js to my database structure and a way to send data to create.js for rendering.
I have gotten to the point in createphp where you are supposed to create your own mapper. I don't know what the mapper should contain. It mentions that is has built-in mappers (Midgard\CreatePHP\Mapper ?) but I don't know how to load those either.
I have read the documentation but it doesn't give details on how to accomplish these tasks.
Thank you for your help on the two following questions.
1. How can I convert my data from create.js to cake and then back again for the views? (possible solution createPHP but doesn't have to be)
2. How do I create a mapper for createPHP or where could I find information to learn how to create a mapper for my instance?
Yeah, the documentation is unfortunately rather sparse. I will create an issue on createphp linking to this post, to give some hints how the documentation could be improved.
I try to explain how things work:
To convert the data from the REST call to your model, you indeed need a RdfMapper instance. See the setup section of the tutorial how you bootstrap that. the bundle comes with mappers for doctrine, which you can read for inspiration if you do not use doctrine. I recommend to extend AbstractRdfMapper in that case.
To render the rdfa, you need to configure what fields of your class should be what rdf type. You can either use the array mapper as in the tutorial, or use the xml mapping, or your own RdfDriver
The whole process is working fine in the symfony2 CreateBundle.
I'm writing a small application in CakePHP 2.1, and I want to use Nick Baker's file upload plugin. I downloaded the cakephp2.0 branch (I know that isn't done yet), and placed it in my apps Plugin folder. I made some necessary modifications on it, but I'm curious what the right way is to replace those App::import function calls (at start of FileUploadComponent, FileUploadBehavior and FileUploadHelper classes) with the App:uses function.
It needs to import the FileUploadSettings class from Config/file_upload_settings.php and the Uploader class from Vendor/upload.php. It can be done with the require_once function, but I'm sure there is a CakePHP way to do it.
From what I've gathered:
use import() for external libraries
and uses() for framework files
For example:
App::import('Vendor', 'ExternalLibrary');
App::uses('Inflector', 'Cake.Utility');
According to the Cake manual App::import() is comparable to the way require_once() works. From what I understand you would load classes using App:uses() and Vendor files using App:import().
The API documentation says the following on the subject:
All classes that were loaded in the past using App::import(‘Core’, $class) will need to be loaded using App::uses() referring to the correct package. This change has provided large performance gains to the framework.
The method no longer looks for classes recursively, it strictly uses
the values for the paths defined in App::build()
It will not be able to load App::import('Component', 'Component') use App::uses('Component', 'Controller');.
Using App::import('Lib', 'CoreClass'); to load core classes is no longer possible. Importing a non-existent file, supplying a wrong type or package name, or null values for $name and $file parameters will result in a false return value.
App::import('Core', 'CoreClass') is no longer supported, use App::uses() instead and let the class autoloading do the rest.
Loading Vendor files does not look recursively in the vendors folder, it will also not convert the file to underscored anymore as it did in the past.
The migration guide also has some things to say about App:uses() and is a good starting point in general to compare best practices for 2.0 with the older methods from 1.3 and lower.
This related question deals with loading Vendor files in Cake 2.0, I can't verify the claim by José Lorenzo that App:import() is a "silly wrapper" for require_once(), nor the statement that it's the preferred way of including files. The only reference I could find for the latter is in the Coding Standards for Cake contributors, viz. developers contributing to the Cake core, not applications built on the framework.
EDIT
Let's say you want to import the Twitter OAuth library, residing in Vendor/twitter, the main class file is twitteroauth.php in Vendor/twitter/twitteroauth/twitteroauth.php:
App::import('Vendor', 'twitteroauth', array('file' => 'twitter'.DS.'twitteroauth'.DS.'twitteroauth.php'));
I am trying to use the Configure class in CakePHP, but I'm not sure if I am using it correctly. I have read through the cook book and the API, but I can't seem to do what I want.
I have created a configuration file: app/config/config.php. I can directly edit this file and set variables in there and access them using Configure::read().
Is it possible to update the values of the configuration file from the application itself, i.e., from a controller? I have tried using Configure::write(), but this does not seem to change the value.
app/config/config.php isn't a file that's automatically loaded by Cake. Either move these variables into app/config/bootstrap.php or tell your bootstrap.php file to load your custom file. You could also put your variables in app/config/core.php, but I'd recommend against that. I tend to like leaving that file alone and adding/overwriting values in bootstrap.php.
According to the API, Configure is supposed to be used "for managing runtime configuration information".
You can use its methods to create, read, update and delete (CRUD) configuration variables at runtime. The Configure class is available everywhere in your CakePHP application and therefore CRUD operations performed on its data in any place, including a controller.
If you are looking for persistent storage, you could consider a database (SQL or NoSQL). I would not recommend using a text file, as it raises a lot of security concerns. Even if security is not an issue, a database is propably a more fitting solution.
More on the Configure class in the Cookbook.