Yes, consider a custom social sharing widget which appears on all forum topic pages. The widget will show on topic pages of active admin-only boards. When an administrator shares the topic page url to Facebook, Facebook's OG info parser cannot access the url. When an administrator shares the topic page url to Twitter, any recipient of the tweet can click on the url but will see either a Lithium error page or the Lithium log in page. If a regular user logs in, they'll see a permission denied error. We want to prevent any user with elevated permissions from ever sharing a protected post publicly.
Got it. For this you will have to create a component on the client side and not server side. Use javascript to create the component and make the boards/id/${board.id}/view/allowed or messages/view/allowed api call as an anonymous user. If it returns true, then share it else not. Currently there is no way you can achieve this via freemarker since all the rest calls run as the user in context.
Hope this helps.
Regards,
Chhama
What's the best way to make a Lithium API call anonymously via JS? When the browser session is authenticated w/ a user w/ elevated permissions, we're seeing that typical ajax calls to direct API urls or to custom endpoints carry the user context.
Hi Chhama,
Thank you. Support pointed me in the right direction. I now have a solution.
