Hi together,
I've searched your archive to find some details about the following topics, but have not found usefull information within a meaningfull timespan of my search.
I would like to use the inline functionality on a web-portal of my own as some basic kind of content management system. As I have already included login functionality on the web-portal and also defined some different administrator roles, which both leads to session generation, that then is stored in client side cookies and on server as session and identified by a session_id and a session_token.
As far as I have understood the enabling and disabling of the inline editor functionality, it only depends on the inclusion of the contenteditable="true" attribute, and I'm a bit concerned about the security implications that comes with this approach.
As the editing of the content should only be allowed to some administrator groups with specific session_ids, I'm not sure how to implement this.
Of course I could set this contenteditable="true" attribute on server side script that outputs the html content only for those session_ids that are in this administrator group, but I'm pretty sure that this attribute (contenteditable="true") can also be set client sided with javascript. So any suggestions about how to avoid/secure this ?
My specific questions in this case:
1. can I restrict functionality of ckeditor in general to specific (already existing) session_ids, is there any good example out there about this ? So using some already existing Login System that generates session_ids to be included/validated also in ckeditors scripts ?
2. further increase security by making sure that only specific session_ids of administrators can use the inline functionality ?
3. This same questions also are targeted to the CKFinder scripts, that would handle the file/image upload and administration, so the above session dependant solution should also work for the CKFinder scripts, and make sure that only a specific session_id can upload/delete/modify files/images on the server.
Any hints/live examples would be greatly appreciated. Sorry if I asked a stupid question that was maybe already answered and I just did not find it.
Kind Regards, Claude
Saving is done at the server,
Saving is done at the server, that's where you should check if the user is allowed to do so or not.
contentEditable is an attribute that allows editing the content in any page, no matter if you use CKEditor or not. Test it right now: add contentEditable="true" to some elements in a page and you'll see that you can edit them.
Does it make sense to enable that feature for any user?
->No, so it doesn't make sense to set the attribute on your page unless the user will then be allowed to save the changes.
Just to clarify,
Just to clarify, contentEditable is actually a browser function, and it works to a limited degree even without CK installed. However, all it does is to allow the user to change the text in their own browser. Which, they can do all they like as it's no security concern to you, the webmaster.
In order to save the changes back to a website requires an HTML form (or ajax) submission of some kind, and it's here that you need to be careful about checking the user's credentials. CK doesn't perform this part of the job, it is up to you to provide the user-validation and upload code, or to integrate CK into an environment that provides it, such as a CMS.
The issue of storing credentials in a session is extremely complex securitywise, and has numerous gotchas attached. One to watch out for is that recent browsers which 'automatically restore previous tabs at startup' may restore a closed session, possibly from hours ago, if you don't do something to stop that happening. This is particularly dangerous on shared computers. A ping routine and relatively short inactivity timeout is one workaround.
It's not without reason that so many large sites have had security failures recently. This area of Web programming (user auth) leaves a lot to be desired, to put it mildly.