Edit page without access to the admin

[underk]

Hi guys!

I'm making a website that will have many people with the permission to edit only one page.

I wonder if I need to give them the admin URL or not.

I tried the module "Fredi", it's pretty good but I can't use images in the WYSIWYG (which is required).

I think there's a limitation to images in the frontend, right?

And another question: how can I limit in the admin (and in the image selector in the WYSIWYG) the pages they see? I don't want them to see any other pages than the page they own.

If there's any tips to help secure the admin for this project, it would be nice to know them too!

As always, thank's for your time!

[ryan]

The admin is intended for administrators or site editors, so it's not a place to send general users to. It sounds like you might be having these users modify a profile page? This is stuff you can easily code using the PW API on the front-end, and that's the recommended way to do it. There are some examples here in the forum, but let me know if you can't find them and I can track down some examples. 

[underk]

Hi Ryan! Thank's for your answer!

Sadly it's not a profile page. In fact, a part of the website have a directory and everyone of a specific role have a page in it. These users will need to use a wysiwyg and add images in it(wich I think is not possible in the frontend?). So any idea what I can do?

Thank's again!

[ryan]

You could always install your own copy of CKEditor or TinyMCE (or Redactor might be worth a look) and install it according to the manufacturers instructions. When you get down to it, a rich text field is nothing more than a regular HTML textarea with some Javascript (from TinyMCE, etc.) being run on it. However, I think that non-administrative use of a rich text editor is asking for security issues. You are enabling the user to enter markup, and markup can be used to insert javascript, and it can sometimes be very difficult to identify. Well crafted javascript can be used to break into just about anything. At minimum, you'd want to run anything submitted through it with HTML Purifier before saving it. I think you may be better off using a restricted lightweight markup language like Textile Restricted, BBCode, or GitHub flavored Markdown (there's very good reasons why sites use these for front-end content input). But if you go the rich text route, just be certain to get HTML Purifier involved.

[underk]

Hi!

So I guess my best bet for now is to create an inputfield with tinymce and using an html purifier (I found your module for this), and when the site will get popularity I'll see if I can do anything else to make it more secure. The restricted markup language is an interesting way, when I'll have time I'll try to know more about implementing it correctly.

The people that will be using this wysiwyg will be known to us (verified identity and address, etc..), so I'm pretty sure they don't want any legal problems. What I'm afraid the most is things like CSFR and other security problems. But using the form api it's already quite secure, isn't it?

I'm not sure what to choose for the image uploader and I'm searching for a simple plugin that does it well. Finding one working with all IE versions is harder than I thought  .

Thank's for your input, it's appreciated!