At first I wasn't sure if a question on how to do something advanced in MediaWiki belonged here, but upon reading the faq and thinking about it, I decided that wiki markup is as much its own language as HTML and CSS, and if those questions are welcome here, then hopefully this is too! If I am wrong feel free to flag this question. Update: Well as evidenced by the 3 views this question got, I suppose that while perhaps it's within the rules of Stackoverflow, there might not be much expertise on the subject! I suppose I will need to take this question to the official forums (shudder)
The problem
On a wiki I am setting up powered my MediaWiki, I have a Template that outputs among other things dynamically created categories. This means that the page that invokes the template will be categorized based on some of the variables passed to the template. The dynamically generated categories are inside <includeonly> blocks to prevent the template page itself from getting the categories.
The problem is that I then transclude that page on to other pages, which causes the categories to be transcluded as well, and now that third page has all of the categories of all of the pages it transcluded.
I want to somehow format the template such that the page that invokes the template will make use of the categories but any pages that transclude the invoking page will not inherit the categories.
Example
Here's my best shot at an example of the setup. If this is inadequate I can provide links to my real-world example.
Template:Food
A page that takes a couple variables and outputs a highly formatted block that explains the food, including outputting a category based on the "type" variable.
Banana
This page invokes the Template:Food template with a few variables, including type set to "fruit". The result is when the user views the "Banana" page they get a nicely formatted page with some basic information about the fruit. Furthermore, if the user goes to the Category:Fruit page, they will see the Banana page listed.
Banana Nut Bread Recipe
This is the problem page. On this recipe page, the author wants to transclude all of the pages for ingredients so that each ingredient is listed in its nicely formatted block. However, when he transcludes the Banana page using {{:Banana}}, the Fruit category is transcluded along with it and now the Banana Nut Bread Recipe page is listed as being in the Fruit category which is wrong.
If I understand correctly, you want to limit the includeonly info (the category) to only depth 1 transclusion. I don't think it's possible.
Possible solutions:
1- Don't put category info into the Template:Food. Just put it directly in each ingredient page or if you really must, create a Template:Food_category or similar. Then each page could have any number of {{Food}}s and the {{food category}}s would need to be explicitly put.
The Labeled Section Transclusion extension lets you tag parts of a source article with labels, and transclude based on those tags. The tags can overlap, so that you have very granular control over what gets pulled through.
https://www.mediawiki.org/wiki/Extension:Labeled_Section_Transclusion
I would think that with Labeled Section Transclusion, you could transclude both the Type:fruit and the Banana description in separate transclusion statements on the Banana page, but only pull the description through to the Recipe page.
Related
The id (PK) of a model/ DB can be passed to and used in the URL pattern. Everyone, including hackers, would be able to piece together some information about my DB from this and the actual data in the template.
My questions are kind of general at this point. I would just like to understand how the info above could be used to compromise the data. Or if someone could point me to some further reading about this topic I would appreciate it.
This is a general question as I am trying to gain more understanding into securing Django sites. I have read several articles but nothing's satisfied the question.
Code:
Where the href passes the blogs id to be used in url matching and ultimately pulling data from the DB in the views/ template:
<a href= "{% url 'details' blog.id %}">
and
urlpatterns = [
path('<int:blog_id>/', views.details, name = 'details'),
]
And the URL being:
domain/appname/blog_id/
TL;DR: Can you hack my site with the few pieces of information I am freely giving away concerning the backend?
First it depends on how your ids are generated. The default in Django is to use sequential numbers, which gives away the following (non-exhaustive) information:
Someone can easily try other ids to see what they get. If you haven't properly protected access to ids you don't want to show, someone might be able to see content they shouldn't see. Many information leaks were just due to this: Guess the URL et voilĂ ! Something that was supposed to be published tomorrow is suddenly leaked today. The same applies for dates in the URL. Of course, if you have proper checks for who's allowed to view "draft" posts, there's no harm.
By trying all ids, you can find out numbers: maybe you don't want others to know how many products you have in your database because it's sensitive information. If I can just do /products/4924 to fetch info about product #4924, I can easily create a script to quickly increase the number until I get 404 Not Found, by which time I know there are 10252 products in your database.
If you have a form to make changes to an order and use the id in the URL to determine which order to change (never do just that by the way, make sure you check the order belongs to the user), someone could just pick different ids to mess up with other people's orders. That can happen easily with an UpdateView where you forget to check permissions.
Regarding the last one: I see plenty of posts here on SO where people show their UpdateView for changing user profiles and other really sensitive information. In most cases the pk is the URL parameter used to fetch the UserProfile. But I almost never see a decorator or mixin (PermissionRequiredMixin or UserPassesTestMixin) to check that the user is actually the one authorised to modify this object. I just pray it's left out for clarity sake :-)
On the other hand, in many case there's not much harm using ids. This site, StackOverflow uses a sequential id for the URL of a question/answer. Nothing serious can happen here if I randomly try other ids. And apparently they are happy to share how many questions and answers have been posted so far (57478609 when you posted this question).
TL;DR: Except giving the ability to visitors to "count" objects in your database, all other security issues with using sequential ids aren't real issues if you take care about your security. But by using random ids, e.g. uuids in your URLs (not necessarily replacing the pk in the db) you can reduce the risk if you forgot to secure something where people can guess ids (or your intern forgot and it got passed your code review and unit tests somehow).
You asked a general question, and the general answer would be: "It depends"
TL;DR: Can you hack my site with the few pieces of information I am freely giving away concerning the backend?
This question is broad. You could hack a site with a toothpick if you annoy the site owner by poking them with it until they give you the password.
Instead I'll assume you asked the titular question:
Q: Are PKs in URLs a security concern?
A: They can be.
In your example you mention blog posts- so lets assume your site has plenty of users all writing blog posts. Now you add the ability for a User to set their latest blog entry to "private". Blog posts marked private only show up on the dashboard for the user that wrote them, and don't show up on everyone else's blog feeds e.g:
{% for article in articles if not article.private %}
... <article feed stuff here>
{% endif %}
Great!
However, one of your users posts a private article and looks at the address bar which shows https://myblog.blog/articles/42 and then at a previous article they wrote yesterday which is https://myblog.blog/articles/37 and deduces that the ID's are sequential. On a whim they type into the address bar https://myblog.blog/articles/41 and oh dear, now they're looking at an article that someone else posted that for the sake of argument we'll say was also set to private.
Because we had no check in place to make sure that the user looking at the (private) blog post was permitted to do so we exposed someones private information. Which is bad enough for blog posts but a very expensive disaster for e.g. bank accounts (there are plenty of examples of major banks slipping up on this particular issue)
Django has a robust system for dealing with this sort of thing: https://docs.djangoproject.com/en/2.2/topics/auth/default/#limiting-access-to-logged-in-users-that-pass-a-test
The argument can still be made that as well as permissions checks, good practice would be to use UUIDs (or short UUIDs) for the id "slugs" in the URLs of any objects that you would rather weren't guessable.
Also, not security related but on the subject of URLs for public articles and blog posts you may find this interesting: https://wellfire.co/learn/fast-and-beautiful-urls-with-django/
I'm developing a Windows Store application based on the Grid application template. Upon creating a new project, there is some sample data generated for the application. There are only three pages in the app: home, grouped items, and item details.
I'm wondering whether it's possible to have different templates for item details, and if so, how.
For instance, I have a group containing a list of smartphones and another group containing a list of printers. In the smartphones item details template, I'd probably have fields such as "Memory card", "Speakerphone", and "Operating system", whereas in the printers item details template I'd have fields such as "Speed", "Accepted cartridges", and "Paper sizes".
How should I go about adding item detail templates and using the correct one depending on which item is viewed? I've looked at http://babaandthepigman.wordpress.com/2012/02/08/datatemplateselector-winrt/ but that seems to be for XAML applications only. I'm not using XAML/VB/C++/C#, but JavaScript and HTML5.
To be clear the three pages in the grid project template are groupedItems (the "hub"), groupDetail (the "section"), and itemDetail (the "detail"). I actually wish they would have named those pages "hub", "section", and "detail".
If you're talking about having multiple item templates so that item tiles on the hub (groupedItems) page look different depending on the item type, then the easiest way is to provide the multiple item templates (WinJS.Binding.Template) in the HTML and then write a custom template selection function. It's not that difficult. You can see an example if you look at my codeSHOW app (codeshow.codeplex.com)... see the home.js page. The source is online, so you can see that page here.
If you're talking about having multiple detail (itemDetail) pages so that when a user clicks on a certain item from the hub, they might be taken to a whole page of information about a phone versus a printer, then that's simply a matter of having multiple pages and being intelligent about which page you navigate to. If the user clicks on a phone from the hub, then you navigate to /pages/phone/phone.html. If they click on a printer then you navigate to /pages/printer/printer.html.
Finally, if your entities (i.e. phones and printers) are similar enough, then you may want to keep a single page to represent them, and just make that page smart enough to modify its template for the right item. In that case, you can create two templates on the page (WinJS.Binding.Template again) and when the entity is passed in to the page (the 'options' part of ready(element,options)), you just inspect it and look at the entity type (i.e. phone or printer) and then render the data into the right template. The Binding and Templating and Fragments and Pages demos on codeSHOW may be helpful there.
If you want more help, you can schedule some 1 on 1 time with a Microsoft Developer Evangelist at usdpe.ohours.org. Have fun!
I'm working on a site in which each post will be dedicated to a single product review. I'd like to have a consistent look for each review so that the product image or cover art is at the top left. To the right of the product image, I'd like a listing of items (author, sales page, product cost, etc).
Below these two, I'd like a summary description area, spanning both columns. I don't want to use tables if possible (the summary description will have a clear:both setting perhaps).
Finally, I'd like to specify a list of "Related Products" in the right sidebar area. I'd like to be able to simply flag a category that contains the "related products" and have the top products in the category shown (as thumbnail images) as well as links to the product page.
Should I create a post template for this or do you have recommendations for a plugin that will work better and database each product separately (rather than placing it all in the post markup)?
TIA :)
For these specific requirements on the stuff you want displayed - yes, you need a post template. WordPress 3.0 introduces custom post types which might ease you in the work, but all the data you insert should be displayed appropriately => product post template OR a lot of html in you post, formatting all that stuff. The least doesn't have any flexibility and if hardly a solution to the problem.
I want to make a website about illustrated books. There are two different kind of authors for a book: writers and illustrators
For each writer I want to make a page that lists the books for that writer. The path would be:
http://mysite.com/writers/EdgarAllanPoe
http://mysite.com/writers/OscarWilde
etc
The same for each illustrator: a page for each illustrator listing the books illustrated by her or him.
Paths in this case would be:
http://mysite.com/illustrators/DiegoRivera
http://mysite.com/illustrators/FridaKahlo
etc
and then, each book will have a single page (like a post):
http://mysite.com/books/OneHundredYearsOfSolitude
http://mysite.com/books/WinnieThePooh
etc
Is it possible to do this in Wordpress? Thanks.
Absolutely, there are definitely ways to do this. The way I'd recommend it is using one custom post type for books and two custom taxonomies for illustrators and authors.
That would give you the url structures you want right out of the box, and would make it easy to associate any book with an author and illustrator (or multiple authors and illustrators, if it's a collaborative book) and would involve only about 30 - 40 lines of code to set it up. There'd be more involved in getting the templating to act the way you wanted, but not much.
I purchased a template / theme from RocketTheme, but I can't figure out how to add content at a specific position.
The templates have "module positions" that collapse. I'd like to add some content at one of the module positions.
If I add articles, they seem to go into "mainbody". But I'd like to have content in other areas of the template.
How do I take some text, images, or other content, and get them to display in these other positions (i.e., TOP-A, or FEATURE-A, etc)?
I've tried this
Go to Extensions->Module Manager
Select "New", Select "Sections"
Under "Details", I select Position->Top-A
I give it a title.
Nothing seems to happen. I don't see anything new exposed in the admin UI, and I don't see a way to get any content into this newly defined section. What am I not understanding?
go to JED and look up html in module or content in module or content in component there are a bunch of them. http://extensions.joomla.org/search?q=module+content&start=20
Essentially
you create and save an article. Make sure it is saved to a section or category on your menu
open the module one of the paramaters will ask for the article id...decide which position and which pages you want it on and then publish.
You can also get modules that will take some or all of your articles in a category and then show them either as a slidedhow or one randomly when someone visits the page