cmsms: bringing the news frontend
I am working on a small intranet project for which I want to edit articles via the frontend.
The news module has plenty of features so there is no need to write a new module. Since there is already a fe_submit action we only a need a way to list and edit articles.
Adding code
In the admin there is a tab that just does that and when we look in the code we see that there is a function admin_articlestab. When we open this file we see that it probably does just what we need.
First we copy this file and make it an action. I called it action.fe_articlestab.php .
We dont't expect this to work, we need to rework a couple of things first.
Here is what I did:
Add parameters like this (the names will show up in the error messages)
To test it I made a page and called the action like this
Great,the articles tab of the admin page is now in the front end. When you click an article the editarticle action is called and since this is a admin action it has to be reworked too. Make a copy and name it action.fe_editarticle.php .
Again:
Add the required parameters to news.module.php . Edit fe_articlestab, change links to editarticle to fe_editarticle.
The content and summary parameters are already registered as type CLEAN_STRING.
If we want to insert pictures this won't work. To make it work add two lines to the submit part of the code:
This is how it is done in the fe_submit action.
Now we can build a bulletin board accessible to everyone. Only to be used in a trusted environment!
Other tweaks
If you want to allow image upload check filepicker in TinyMCE settings.
In the TinyMCE module code edit filepicker.php : comment out
otherwise you must be logged in to the admin section.
We can use the icons of the default admintheme to fill the status column like this:
Use true.gif for the published ones.
You can do something similar for the edit icon, link to fe_editarticle.
For the delete icon you could provide a fe_delete action but personally I'm happy with the check boxes.
The results of all this are not too bad for a brute force attack:
but
The news module has plenty of features so there is no need to write a new module. Since there is already a fe_submit action we only a need a way to list and edit articles.
Adding code
In the admin there is a tab that just does that and when we look in the code we see that there is a function admin_articlestab. When we open this file we see that it probably does just what we need.
First we copy this file and make it an action. I called it action.fe_articlestab.php .
We dont't expect this to work, we need to rework a couple of things first.
Here is what I did:
- added if (!isset($gCms)) exit; as first line
- replaced CreateFormStart($id,'defaultadmin')) with CreateFrontendFormStart($id,$returnid,'fe_articlestab'))
- replaced links to defaultadmin with links to fe_articlestab
- replaced link to addarticle with link to fe_submit
- removed all permission checks otherwise you must be logged in to the admin section
- removed pieces of code that use DisplayImage, don't need them for now
Add parameters like this (the names will show up in the error messages)
$this->CreateParameter('parameter name','default value','help description');
$this->SetParameterType('parameter name',
[CLEAN_NONE|CLEAN_STRING|CLEAN_INT|CLEAN_FLOAT|CLEAN_FILE]);
To test it I made a page and called the action like this
{news action='fe_articlestab'}
Great,the articles tab of the admin page is now in the front end. When you click an article the editarticle action is called and since this is a admin action it has to be reworked too. Make a copy and name it action.fe_editarticle.php .
Again:
- remove permission checks
- edit the redirects to fe_articlestab
- edit the CreateFormstart occurences
Add the required parameters to news.module.php . Edit fe_articlestab, change links to editarticle to fe_editarticle.
The content and summary parameters are already registered as type CLEAN_STRING.
If we want to insert pictures this won't work. To make it work add two lines to the submit part of the code:
...
else
{
// added to allow tags in fe like in fe_submit
$summary = cms_html_entity_decode($params['summary']);
$content = cms_html_entity_decode($params['content']);
// database work
//
$query = 'UPDATE '.cms_db_prefix().'module_news SET n...
This is how it is done in the fe_submit action.
Now we can build a bulletin board accessible to everyone. Only to be used in a trusted environment!
Other tweaks
If you want to allow image upload check filepicker in TinyMCE settings.
In the TinyMCE module code edit filepicker.php : comment out
check_login(); $userid = get_userid();
otherwise you must be logged in to the admin section.
We can use the icons of the default admintheme to fill the status column like this:
$onerow->approve_link = '<img src="admin/themes/default/images/icons/system/false.gif" />';
Use true.gif for the published ones.
You can do something similar for the edit icon, link to fe_editarticle.
For the delete icon you could provide a fe_delete action but personally I'm happy with the check boxes.
The results of all this are not too bad for a brute force attack:
- we can create new articles in the front end
- we can create a list of articles and edit them
but
- we broke the news module (for the parameters and the lang file)
- we broke the TinyMCE module (for the file upoad)
cms made simple
zipfile with fe_articlestab, fe_editarticle and parameterlist
Comments
Post a Comment