Creating website with user generated content

[imandreas]

I'm trying to setup a website, where users can generate their own content.

Frontendprogramming is working fine on PW as a charm, for user registration I'm using the module "Login Register Pro" and for frontend editing right now "RockFrontend" with Alfred looks so good, all fields are perfect accessible.

But there are remaining security issues, that I can't solve:

Users might be accessing the PW backend and have the possibility to read the whole content.

- trying module "Admin Restrict Branch" will disable RockFrontend, because jquery from PW backend can't be loaded and the "navbar-nav" menu in backend is showing content anyway

- RockFrontend Role granted to Permission "page-edit-front" has jquery problems in Frontend with older jQuery version

 - creating a new content:  I found only a solution with API programming, creating a form field and processing it on PHP in template. Once this content is created, it can be edited with Alfred

<form action="/my-user-content-template/" method="post">
<input type="text" name="title">
<button type="submit" name="create-new-content">Create New Content</button>
</form>

But overall it is not straigthforward as everything else on ProcessWire. Are there any other approaches?

 

[MarkE]

3 hours ago, imandreas said:

Users might be accessing the PW backend and have the possibility to read the whole content.

Generally this is addressed by appropriate setting of roles and permissions. Do you have a specific problem that cannot be dealt with that way?

[imandreas]

Yes, if I want to restrict the access only to frontend, it is. In backend it is quite tricky, since on user generated content all users create content with the same type of template, so the backend has not the possibility right now to show only templates, that are created (owned) by the logged in user.

Right now I solved the issue like this:

- installed the module "Admin Restrict Page Tree": this disables all content for users with a selected role in the backend. This is ok, because I show their content in the frontend with:

My content:
<?php
foreach( wire("pages")->find("created_users_id=$user->id, template=my-user-content-template, sort=-created") as $item){
	echo "<br><a href='$item->url'> Detail view: $item->title</a>";
}
?>

- but as I see, there is no possibility to restrict with roles and permissions the list of content, especial in the nav item of the backend with the content tree. So I made a hack in /wire, or better, lets say a "patch" when rendering the nav items (search also removed):

wire/modules/AdminTheme/AdminThemeUikit/_masthead.php

<?php if($adminTheme->isLoggedIn): ?>
	<ul class='uk-navbar-nav pw-primary-nav'>
	<?php	
		//bd($user);
		foreach ($user->roles as $itmRole) {
		//bd($itmRole);
		if ($itmRole->name == "superuser") {
			echo $adminTheme->renderPrimaryNavItems();
		}
	}
	?>
	</ul>	
<?php endif; ?>
....

<?php if($adminTheme->isLoggedIn): ?>
	<ul class='uk-navbar-nav pw-primary-nav'>
		<?php
		foreach ($user->roles as $itmRole) {
			if ($itmRole->name == "superuser") {
				$adminTheme->includeFile('_search-form.php');
			}
		}
		?>
	</ul>
<?php endif; ?>

 

[imandreas]

Hi @JoseFrasherunfortunately not.

As PW is so perfect and fast on all frontend issues, it is a bit tricky on the user generated content.

So I still use the API as above to create the new content. Then I list the newly created page in the template called "my-pages":

foreach( wire("pages")->find("created_users_id=$user->id, template=user-generated-content-template") as $item){
...
<div class="btn btn_default" <?= alfred($item, "title,body,.....") ?>>
	<i class="fa-solid fa-pen-to-square"></i> Edit
</div>
}

And one problem is still remaining:

Users can edit other templates of "user-generated-content-template" created by other users as well, if they know how to. 

Here I should add somewhere a hook on this template for edit, if the current user is equal to the user, who created that page.