How to deny user to use certan droplets

[pcwacht]

Remember, this patch is only for the wysiwyg module, not for news etc

Those need to be patched as well!

[crnogorac081]

Im glad you recognized this as useful feature and thanks for the code !

cheers
Ivan

[DarkViper]

second patch to prevent manual keying of 'forbidden' droplets.

search for this code in modules/wysiwyg/save.php

Code Select Expand

<?php
// Update the mod_wysiwygs table with the contents
if(isset($_POST['content'.$section_id])) {
$content = $admin->add_slashes($_POST['content'.$section_id]);
// searching in $text will be much easier this way
$text = umlauts_to_entities(strip_tags($content), strtoupper(DEFAULT_CHARSET), 0);
$query = "UPDATE ".TABLE_PREFIX."mod_wysiwyg SET content = '$content', text = '$text' WHERE section_id = '$section_id'";
$database->query($query);
}
?>

and replace it with following code

Code Select Expand

<?php
// Include the WB functions file
require_once(WB_PATH.'/framework/functions.php');

// Update the mod_wysiwygs table with the contents
if(isset($_POST['content'.$section_id])) {
$content = $_POST['content'.$section_id];
$denyDroplets = array();
$sql  = 'SELECT `name` FROM `'.TABLE_PREFIX.'mod_droplets` ';
$sql .= 'WHERE `active`=1'.(($admin->ami_group_member('1')) ? '' : ' AND `admin_view`=0');
if( ($droplets = $database->query($sql)) ) {
while( $droplet = $droplets->fetchRow()){  //  <<<< typo fixed
$denyDroplets[] = $droplet['name'];
}
}
if(sizeof($denyDroplets) > 0){
$denyDroplets = implode('|',$denyDroplets);
$pattern = '/\[\[('.$denyDroplets.').*?\]\]/i';
$content = preg_replace($pattern, '', $content);
}
$content = $admin->add_slashes($content);
// searching in $text will be much easier this way
$text = umlauts_to_entities(strip_tags($content), strtoupper(DEFAULT_CHARSET), 0);
$query = "UPDATE ".TABLE_PREFIX."mod_wysiwyg SET content = '$content', text = '$text' WHERE section_id = '$section_id'";
$database->query($query);
}
?>

How it works:
It's not possible deny keying of droplets at first moment in the editor.
A global output filter does not work, because it will remove legal inserted 'forbiddden' droplets from template also.
The solution is to remove 'forbidden' droplets before the content will be saved in database.

If you implement both patches, then normal 'click'-users never can select 'forbidden' droplets from list inside the editor. If an experienced user knows the syntax of a droplet and keyed it manually, so this droplet will be removed immediately on saving.

Please, follow:  These patches are private, not official from DEV-Team. After upgrade WB you must alter these two files again!

The idea behind this patches is really good. We will firmly insert it in the same or in a modified way in 2.9.

[crnogorac081]

I would change the 'forbidden'  dropletnames to something less guesseable
something like [[This_is_a_loginbox_wich_only_I_know_the_existence_off]]

Yea this could be a temporary solution.. I know that I would need to change few lines of code in core file, but still this could be very usefull..

[pcwacht]

If you don't wnat a user to type droplets (or certain droplets) in wysiwyg module you need to alter that module.

Place to be wouild be save.php

Things to consider
1 - check group user belongs to, or check userid
2 - if user (usergroup) is NOT allowed then filter forbidden droplets

Next to this stuff you might consider:
If you alter core files change are you need to alter them again AFTER an update
Allso you might need to alter other modules as well, news for example

Your code should be right after :    $content = $admin->add_slashes($_POST['content'.$section_id]);
or before the database query

I wouldn't go that way

I would change the 'forbidden'  dropletnames to something less guesseable
something like [[This_is_a_loginbox_wich_only_I_know_the_existence_off]]

My cents for what it's worth
John

[crnogorac081]

Hi,

thank you for your time and extensive code, but that is not "patch" I am looking for. The code you typed  only creates a dropdown box with droplets, but what I want to achieve is to deny a user to manually call some droplets, for example if he knows that droplet [[loginbox]] exists, I dont want him to type [[loginbox]] in wysiwyg editor or simple textarea or inputbox..or..anywhere where he can type text..

how can I achieve this ? maybe with preg_match or preg_replace , to put an allow or deny droplets array into preg function?

Code Select Expand


$text_content = $_POST['content'];
$droplets_allow = array('[[gallery]]','[[droplet]]','[[droplet2]]');
$droplets_deny = array('[[loginBox]]','[[systemDroplet1]]');

preg_replace($droplets_deny, ??? which code to put here to replace [[ WITH <span>[</span>[ ???? , $text_content);



cheers

[DarkViper]

replace this code from modules/fckeditor/fckeditor/editor/plugins/WBDroplets/fck_wbdroplets.php

Code Select Expand

<?php

// Get pages and put them into the pages list
$template->set_block('main_block', 'droplets_list_block', 'page_list');
$get_droplet = $database->query("SELECT * FROM ".TABLE_PREFIX."mod_droplets where active=1 ORDER BY name");
if($get_droplet->numRows() > 0) {
// Loop through pages
$list = "";
while($droplet = $get_droplet->fetchRow()) {
// method page_is_visible was introduced with WB 2.7
$title = stripslashes($droplet['name']);
$desc = stripslashes($droplet['description']);
$comm = stripslashes($droplet['comments']);
$template->set_var('TITLE', $title);
$template->set_var('DESC', $desc);
$list .= "<div id='".$title."' class='hidden'><b>".$title.": </b> ".$desc."<br>".$comm."</div>";
$template->parse('page_list', 'droplets_list_block', true);
}
} else {
$template->set_var('TITLE', 'None found');
$template->parse('page_list', 'droplets_list_block', false);
}
$template->set_var('LIST', $list);
$template->set_var("CHARSET", defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : 'utf-8' );

// Parse the template object

?>

with this

Code Select Expand

<?php

// Get pages and put them into the pages list
$template->set_block('main_block', 'droplets_list_block', 'page_list');
$sql  = 'SELECT `name`,`description`,`comments` ';
$sql .= 'FROM `'.TABLE_PREFIX.'mod_droplets` ';
$sql .= 'WHERE `active`=1'.(($admin->ami_group_member('1')) ? '' : ' AND `admin_view`=0').' ';
$sql .= 'ORDER BY `name`';
$list = "";
if( ($get_droplet = $database->query($sql)) ) {
// Loop through the list
while($droplet = $get_droplet->fetchRow()) {
// method page_is_visible was introduced with WB 2.7
$title = stripslashes($droplet['name']);
$desc = stripslashes($droplet['description']);
$comm = stripslashes($droplet['comments']);
$template->set_var('TITLE', $title);
$template->set_var('DESC', $desc);
$list .= "<div id='".$title."' class='hidden'><b>".$title.": </b> ".$desc."<br>".$comm."</div>";
$template->parse('page_list', 'droplets_list_block', true);
}
}
if( $list == '') {
$template->set_var('TITLE', 'None found');
$template->parse('page_list', 'droplets_list_block', false);
}
$template->set_var('LIST', $list);
$template->set_var("CHARSET", defined('DEFAULT_CHARSET') ? DEFAULT_CHARSET : 'utf-8' );

// Parse the template object

?>

With this little modification you can define each droplet to be invisible in FCKE for users not in Group 1 (Admin).
The only thing you have to do is: Check 'Admin_View' in the 'edit-droplet-mask' in your backend for each NOT public visible droplet.

(it's tested in theory only...  hope it works in real too...   )

Take care: This patch prevent not from manually keying a droplet. This will need the next patch.

[crnogorac081]

Hi,

Sorry maybe I didnt explain the point good, for example I dont want that someone type [[loginBox]] into the news or simple wysiwyg page..

My idea is to create a code, which I will place in save.php (or equivalent page where content is saved) in each module I want to protect (news, wysiwyg etc...).

Code Select Expand


[[ in <span>[</span>[ ------ this could do the trick..


What would be the best way, to use allow or deny list?

Code Select Expand


$text_content = $_POST['content'];
$droplets_allow = array('[[gallery]]','[[droplet]]','[[droplet2]]');
$droplets_deny = array('[[loginBox]]','[[systemDroplet1]]');

// for example: when droplet from deny array above appears, replace [[ with <span>[</span>[
preg_replace($droplets_deny, ??? which code to put here to replace [[ WITH <span>[</span>[ ???? , $text_content);


Or is there a simpler way ?

cheers,
Ivan

[Ruud]

Not tested!!!

You could try to create a droplet that replaces the [[ in <span>[</span>[ for illegal droplets.
Those droplets will no longer be detected as droplets.
If you put that on top of your template it might get processed before the other droplets.

[pcwacht]

There is nothing wich interact with users using droplets, the droplet is not used by the user, the droplet is placed by a developer.

You can however limit edit rights on droplets AND insert code inside a droplet to check the usergroup before it executes

If you mean the droplet dropdown in some wysiwyg editors you need to recode that bit.
For FCKEditor the path is : modules\fckeditor\fckeditor\editor\plugins\WBDroplets
Change the line:

Code Select Expand


$get_droplet = $database->query("SELECT * FROM ".TABLE_PREFIX."mod_droplets where active=1 ORDER BY name");

to

Code Select Expand


$get_droplet = $database->query("SELECT * FROM ".TABLE_PREFIX."mod_droplets where active=1 AND admin_view=0 ORDER BY name");

There exists an option admin edit only or admin view only, this way this would be used

Have fun,
John

[crnogorac081]

Hi,

is there a simple code to deny user or group to use certain droplets? For example I have these droplets installed:

[[systemDroplet1]]
[[loginBox]]
[[gallery]]
[[droplet1]]
[[droplet2]]

Now, I would not like that users use [[loginBox]] or [[systemDroplet1]] in news posts, comments, wysiwyg pages etc.. for example, but only [[gallery]], [[droplet1]] and [[droplet2]]

is there a simple code for this ?

Code Select Expand


// For example:
$text_content = $_POST['content'];
$droplets_allow = array('[[gallery]]','[[droplet]]','[[droplet2]]');

if ($group_id == 2) { // Only activate and use droplets from $droplet_allow array, and other print only as text, or replace [[loginBox]] with [loginBox] or whatever..
         
              ????????????????????????
              What would be the code for this ?

}



cheers,
Ivan