[PLUG] Multiple Administrators for a Web Site Feature

Richard C. Steffens rsteff at comcast.net
Tue Jan 6 18:17:54 UTC 2009 

Carlos Konstanski wrote:
> A better approach is a webdav folder that allows world read access,
> but requires authentication for write access.  This gets the same job
> done with far less work from you.
>   
Tim wrote:
> Yeah, I recommend you look into using WebDAV.  

This is the first I've heard of WebDAV. I Googled it to see what it's 
about. It's the right idea, but way more complicated that is needed for 
this application. However, the basic concept sounds right.

> It shouldn't be too hard
> to configure with HTTP Basic auth for the write methods.  I suggest you
> alias a directory outside of your web root as the designated
> upload/WebDAV folder and make sure that PHP and CGIs are not permitted
> to execute in that folder.
>   

Good plan. I think I have that ability with SpiritOne.

> >From there, users can edit the file by simply mounting a "web folder" or
> some such thing in Windows, or with other platforms' webdav clients.
> It should be pretty easy and cross platform.  What's more, it's probably
> easier to debug and support if you want to run it securely, such as over
> SSL.
>   

That's the part that's probably too complicated for some of my users.

> As for embedding the content in another page, an iframe or javascripty
> thing would probably work fine.  However, if you want to ensure that
> users can't supply HTML (and therefore script), you might want to make
> the parent page be a PHP one which reads the contents of the file,
> encodes it, and then displays it to prevent cross-site scripting.  

That makes sense.

> All
> depends on how much you trust your users.  

There are only three of them, and they are trustworthy, as regards 
intentional mischief. I believe only one of them has any web page coding 
experience, so the problem is more one of unintentional mischief.

> Whatever, you do, *do not*
> use a simple PHP include to pull the file in, as this would permit
> uploaded files to execute arbitrary code on the server.
>   

Good point.

> If you aren't experienced with PHP, ...

I worked with it several years ago, and still have the books.

> ...I strongly recommend you do not try
> and implement a file upload form.  If you find yourself having to
> support content editing by less savvy users on a regular basis, you
> might consider setting up a wiki app or something similar.

Since all I need is to have a simple notice, I'm thinking that I will 
create a form on a page for them to type in the text of the message and 
have my script save that message in a text file. I would then have the 
php on the home page test for the presence of that file and, based on it 
being there, include the <div>, with the message text, and its separate 
style sheet. The page I create for them to use to write the message can 
also have a button to erase the file. That page would not be referenced 
from the other pages on the web site, and would require a password to 
operate.

Thanks for the ideas.

-- 
Regards,

Dick Steffens
www.dicksteffens.com

More information about the PLUG mailing list