permissions

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
1/23/2013 10:49:23 AM
Gravatar
Total Posts 28

permissions

Hi All,

 

Is there anyway I can allow allow a user to edit content in the editor and not able to edit the source code on a page?

 

Scenario

I have selected users that can only view their individual company page. I only want to give them access to upload images and edit text in editor however I don't want them to be able to edit the source code behind it

1/23/2013 2:34:20 PM
Gravatar
Total Posts 18439

Re: permissions

Hi,

The thing to understand is that the editor is a convenience tool to help write html without knowledge of html. It is NOT a security feature. If a user disables javascript in their web browser the editor will disappear completely there will be a textarea and the user can then enter raw html or add javascript or do anything they want. So if you are thinking the editor can stop users from doing bad things, it cannot.

You "could" edit the toolbar configuration to leave out the view source tool button, however, the places where the editor has the view source button are only in places where the features expect trusted users. For example the blog comments and forums do no expect trusted users so they don't have as many toolbar options, but the Html content feature and the Blog feature do expect users with edit permissions to be trusted users. You should not allow untrusted users to edit those features. See the section of What mojoPortal is NOT designed for on the About page.

Note that while we don't include the view source toolbar in places where untrusted users can edit content, we don't rely on it for security and we assume that users can manage to enter malicious content by disabling javascript as mentioned above, but we have other means to protect against untrusted content entered by untrusted users. We use a tool called NeatHtml to wrap around untrusted content and prevent any script from being executed.

Hope that helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.