Forum Discussion
- DougSKhoros Oracle
Hey CM,
You could set aside one of your custom content modules and build a customization that allows users with a certain role to edit that.
This article explains how to check if a user has a certain role:
This article explains how to retrieve custom content settings via the REST API:
This post explains how to set custom content settings via the REST API:
Here are links to the documentation for the related REST calls:
- Get users's roles (/restapi/vc/users/id/[id]/roles)
- Get setting (/restapi/vc/settings/name/[name], remove the part of the URL that has /users/id/[id])
- Set setting (/restapi/vc/settings/name/[name]/set?value=[value], remove the part of the URL that has /users/id/[id])
One thing you want to be careful about when you add this kind of customization is that it can't be used to issue a Cross-Site Request Forgery attack (or CSRF attack), where someone tricks someone with this role into clicking the form submit URL updating the custom content to something they didn't intend to update it to. The best way to prevent these types of attacks is to add a CSRF token that gets created when the page is rendered and has to be sent when the form is submitted. Another way (but it's still better to implement a token) you can prevent these types of attacks is to do a Referer header check to make sure the request is coming from the page where the form is. Whichever method you use, be sure to make sure that the form can only be submitted via HTTP POST (not via GET).
-Doug
Wow, that's an amazing response! Oracle, hell yeah.