Mediawiki - permissions so that anonymous can createpage, but only users can edit - mediawiki

The second part of this question is easy. This in LocalSettings.php:
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;
dictates that only users can edit.
My issue is that for createpage permissions to be set the user or group has to also have edit permissions.
I want anonymous users to be able to make submissions (via Semantic Forms) but only users to be able to edit them.
Any help appreciated,
Carl.
http://www.mediawiki.org/wiki/Manual:User_rights

I'm not sure that's possible with the current permissions system in MediaWiki. By design, there's very little a user without the edit permission can do; that permission controls the right to modify the wiki content in any way. I guess you could file a feature request for a separate editexisting permission to specifically forbid only the editing of existing pages.
Actually, I suppose you could implement such a permission yourself with a userCan hook, something like this:
function checkEditExisting( &$title, &$user, $action, &$result ) {
if ( $action != 'edit' ) return true;
if ( !$title->exists() ) return true;
if ( $user->isAllowed('editexisting') ) return true;
return $result = false; // page exists, no permission -> disallow edit
}
$wgHooks['userCan'][] = 'checkEditExisting';
$wgGroupPermissions['*']['editexisting'] = false;
$wgGroupPermissions['user']['editexisting'] = true;
Note that I haven't tested the code above at all, but it's simple enough that, with some luck, it might just work.

Related

Subresource Integrity: How to show only warning but not block resource?

I would like to make a soft integration for Subresource Integrity attributes, so be sure that I did not break the application, but only to show a warning that I need to fix some places.
Is there an option to do so?
Secure approach
If you need some kind of flexibility, then you should use a fallback mechanism - loading required resource from another URL. Probability that two different URL's will be hacked at the same time is a lot smaller compared to hacking just one resource. Fallback doesn't violate site security, because you must trust your known-good sources which you use in your code. If your resource is a Javascript - you can use a noncanonical-src attribute for a fallback too.
Insecure approach
Now, if you really, really want a user to break server and/or client security by forcing compromised resource load - at least ask a user if he/she takes responsibility by doing so. Of course this will still be a stupid thing, it's like asking "Would you like to run a virus in your computer ?". I bet nobody would like to say YES. Anyway, here is the code, which does asking these type of questions:
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script>
function loadResource(path) {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
var cs = CryptoJS.SHA256(this.responseText);
if (btoa(cs) == 'NjBiMTllNWRhNmE5MjM0ZmY5MjIwNjY4YTVlYzExMjVjMTU3YTI2ODUxMzI1NjE4OGVlODBmMmQyYzhkOGQzNg==' ||
confirm('Bootstrap is NOT the latest version 4.3.1, load anyway ?')
) {
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = path;
document.head.appendChild(link);
}
else {
var err = document.getElementById('error');
err.title = "Component version error !";
err.innerHTML = ' ⚠️';
}
}
};
xhttp.open("GET", path, true);
xhttp.send();
}
loadResource(
//'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css' // newest boostrap
'https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css' // old legacy
);
</script>
DEMO
I do not recommend only displaying warnings when the SRI-Hashes don't match. When see the warning as a User, it's already too late and potentially malicious scripts were executed on your machine.
However, you can implement your desired behaviour using the ServiceWorker-API and something like <script data-integrity="xxxxxxxx">. For that, you'd want to:
Register a new ServiceWorker
Listen to the fetch event
[Client.postMessage] the targetURL to your Parent
Get script integrity hash by targetURL $('script[src=event.data.targetURL]').attr('data-integrity')
and push it into the client using Worker.postMessage
hash the response using e.G. cryptojs.sha256
match the hashes inside the worker
If the hashes match, return the response. If they don't match, return the response and use Client.postMessage again to trigger a warning.

Website copy not mine

1 month ago i've made my website portfolio and i was daily looking for auto referencement since i saw other website with the same name AND the same content in the top results of Google and Qwant..
So, i've updated my website with a little alert to prevent from malicious use of my website but for now i'd like to know how they can copy my website so easily and fast, i've upadted my website with this alert and instantly it this alert was on those copy ..
Any idea to prevent this ? and maybe misconfiguration of my server but not sure of this one.
Original : http://corentindehay.me/
Copy : u4lab [dot] com
Copy : hongluchua [dot] fr
Thanks
A ping to those two domains show that it's the same server that handles the requests:
corentindehay.me 5.196.8.82
hongluchua.fr 5.196.8.82
The third domain is not reachable from here (Belgium).
Thus, what you can do is to configure Apache/Nginx to only serve domain corentindehay.me. By default Apache serves requests with vhost 000_default.conf if I remember well.
You can define a new vhost that only serve your domain via something like this :
<VirtualHost *:80>
DocumentRoot /www/yourPortfolio
ServerName corentindehay.me
ServerAlias www.corentindehay.me
</VirtualHost>
Don't forget to change the default vhost's behavior. More info can be found here: https://httpd.apache.org/docs/2.2/en/vhosts/examples.html
Beside that, you have no real solution to block someone to copy your website as the source code is public. But I really don't see any reason to copy a Portfolio...
You can also enable SSL. Certificates are linked to a specific domain and served by your webserver. So in that case, you produce a certificate for corentindehay.me which will only be valid for that domain. People accessing your server with a different domain will see an error about invalid certificate.
better you can use css and Javascript copy protected codes. This will not allow the user to select anything from your page...you can also disable the control keys using their ascii values..
This codes can help you
You
<script type='text/javascript'>
var isCtrl = false;
document.onkeyup=function(e){
if(e.which == 17)
isCtrl=false;}
document.onkeydown=function(e){
if(e.which == 17)
isCtrl=true;
if((e.which == 85) || (e.which == 67) && isCtrl == true){
// alert(‘Keyboard shortcuts are cool!’);
return false;}}
var isNS = (navigator.appName == "Netscape") ? 1 : 0;
if(navigator.appName == "Netscape") document.captureEvents(Event.MOUSEDOWN||Event.MOUSEUP);
function mischandler(){
return false;}
function mousehandler(e){
var myevent = (isNS) ? e : event;
var eventbutton = (isNS) ? myevent.which : myevent.button;
if((eventbutton==2)||(eventbutton==3)) return false;}
document.oncontextmenu = mischandler;
document.onmousedown = mousehandler;
document.onmouseup = mousehandler;
</script>
this post for more better solution
http://www.droidadda.org/2017/03/how-to-show-your-blog-post-link.html

Redirect after login with YII2

For example:
1. A user is trying to access to mypage.php?param=1.
2. He can not to access, because he is not authenticated.
3. So, He try to log with his google account.
4. He have a access successfully.
5. Now, I would like to redirect to that user to mypage.php?param=1.
Yii support user redirect url when they were redirected by permission rules.
You can find at :
Yii2::$app->user->returnUrl
and check then redirect if it does not empty.
Change like this
You could use Yii::$app->request->referrer which returns the last page the user was on.
$return_url = Yii::$app->request->referrer;
//var $return_url have previous url
if($return_url!=NULLL){
return $this->redirect($return_url);
}
else{
return $this->goBack();
}
In Yii2 we need to return() the result from the action.I think you need to add a return in front of your redirect.
return $this->redirect('/user/index',302);
//May be this is not proper way but its working for me
//in your common code where you check user is login or not
if(Yii::$app->user->isGuest) {
\Yii::$app->user->loginUrl = ['site/login','return'=>\Yii::$app->request->url];
return $this->redirect(\Yii::$app->user->loginUrl);
}
// and after login
$return_url = \Yii::$app->request->get('return');
if(!empty($return_url)){
return $this->redirect($return_url);
}else{
return $this->goBack();
}
You can use
return $this->redirect(Yii::$app->user->getReturnUrl());
instead of
return $this->goHome();

Magento Front End 404 Error

I am a newbie to magento, I have installed and put a few products, but then later I was getting Error:404 page not found in the front end. Backend is all OK, I am able to access everything but all of a sudden I don't know how this happened. I tried all the solutions like Flush Cache, replacing .htaccess, is_active field in database etc but all proved futile. Then lately I have put in system->Configuration->Web Base_url as http://sportiva.no/index.php/ (Previously it was http://sportiva.no/) and all is completely changed all the styles went away and I am not able to save anything. Please help, I am ready to give backend credentails.
Please help
Go to System > Configuration > Web > Default Pages and check "CMS Home Page" field value. If it is "404 Not Found", then change it to any of the CMS page available on the drop-down and save the configuration.
Refere to this link by Alan Storm,
http://magento-quickies.alanstorm.com/post/6462298634/404-debugging
excerpt from it,
Put this code in function _validateControllerClassName
<?php
#File: app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
/**
* Generating and validating class file name,
* class and if evrything ok do include if needed and return of class name
*
* #return mixed
*/
protected function _validateControllerClassName($realModule, $controller)
{
$controllerFileName = $this->getControllerFileName($realModule, $controller);
if (!$this->validateControllerFileName($controllerFileName)) {
var_dump($controllerFileName);
return false;
}
$controllerClassName = $this->getControllerClassName($realModule, $controller);
if (!$controllerClassName) {
var_dump($controllerClassName);
return false;
}
// include controller file if needed
if (!$this->_includeControllerClass($controllerFileName, $controllerClassName)) {
var_dump($controllerFileName . '----' . $controllerClassName);
return false;
}
return $controllerClassName;
}

Check if browser has allowed geolocation services in the past?

Currently I can determine if a user has Allowed or Denied browser location services. But how do I detect if a user's browser has previously allowed the permission? I don't want to show the "setting message" to the user again.
$("#updateLocation").click(function(e){
e.preventdefault;
navigator.geolocation.getCurrentPosition(allowLocation,deniedLocation);
return false;
});
function allowLocation(position){
// codes
}
function deniedLocation(){
// codes
}
I also facing the same problem. And, after I search and experiment I finally found the answer
You can add this JS code :
navigator.permissions.query({name:'geolocation'}).then(function(result) {
// Will return ['granted', 'prompt', 'denied']
console.log(result.state);
});
Then you can use your custom code as needed.
source : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/permissions
You can do this simply by making use of HTML5 localstorage which allows you to create key-value pairs:
$("#updateLocation").click(function(e){
e.preventdefault;
if(localStorage.location == undefined){
var ip-located-geo-location = navigator.geolocation.getCurrentPosition();
// code to get ip-located geolocation
var user_defined_location = prompt("Please enter your location", ip-located-geo-location);
localStorage.location = user_defined_location;
}
else{
// use localStorage.location
}
return false;
});
If the location is not previously saved then it asks for user_defined_location, also displaying the ip-located-position, and thereby updates the localStorage, so that the next time the user doesn't have to reset the location according to his preference.