Multi-author blog

[jacmaes]

I've been asked to consider the viability of the following project: a sort of collaborative blog where any Spanish expat could register and post small articles, videos and photos about their experiences as Spaniards living in the U.S. The trick here is that users should only have the options to view and edit their own posts, and should not have access to the posts of anyone else. I'm guessing then that the traditional user roles and permissions (user, editor, administrator...) do not apply here.

It must be the summer heat, but I can't think how to achieve this with Processwire. Any thoughts? As usual with PW, it must be easier than I think.

[slkwrm]

I guess the first step here is to create a pages in a tree for each user (when a user is created/registered) with the same name as a user id so it can be non-ambiguously associated with this user. Then add a verification that user can access pages only under this personal page, i.e. view/edit/add only page's children. Also you want to narrow allowed templates range for this children-pages.

The second step is to give access to some interface to edit personal pages. I'm honestly not sure which option you need here. You can use PW's back-end for it, but then your users will see the whole site tree unless you write a module that modifies the default output. As an alternative, you can build a custom front-end interface for this task, but it will require some work.

I'm sure there's also a security concern here as you intend to let your users upload files and use WYSIWYG-editor. Maybe someone more knowledgable can elaborate on this

[jacmaes]

Thanks, slkwrm. It seems, then, that much of the work has to be done through the API, and that the use of the standard backend for regular users is pretty much out of question.

I'm sure there's also a security concern here as you intend to let your users upload files and use WYSIWYG-editor. Maybe someone more knowledgable can elaborate on this

I'm not too worried about that since there an administrador would review all posts before they are actually published on the site.

[ryan]

ProcessWire's admin is designed for trusted users. I would avoid a setup that allows any user on the internet to register and then gain access to your admin. I'm not aware of any CMS that I would consider for this type of permission escalation for untrusted users (though possibly Drupal). Instead, I would take a framework approach, whether with ProcessWire or another framework. When users are untrusted, you really want to jail them, limit everything, and lock it down. Kind of the opposite of what you want to do for trusted users. If they are going to be uploading files to the system, you want to limit the size and quantity, so one user can't go fill up the hard drive or launch DDOS attacks by uploading massive files and getting them stuck in GD resizes. Anything uploaded should be stuck in a non-web accessible quarantine area that is only delivered to the authenticated user via a passthru script with a forced mime type. You kind of have to expect the worst when you open up any kind of editing or upload tool to untrusted users. But this is relatively easy to do when you are using a framework (like ProcessWire) and coding for a specific purpose with clear limits.