HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

$DiscussionModel->Save($DiscussionData); from plugin

I've got plugin which should post discussion automatically when it has been triggered by just opening certain page by wget as cron job. Thing is plugin tried to do $DiscussionModel->Save($DiscussionData); nothing happening be cause I think it does permission check at the background and assign the guest role which is restricted to post. When I'm authorised and opening same page plugin work perfect.

How I can bypass permission check to post for my plugin?

Comments

  • wget as the name implies is for get request no post request.

    When you are authorised? How are you authorised?

    You need to use an API solution for problems like so.

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin
    edited September 2014

    There's no way to do that with wget. Even the example discussion is inserted by SQL: https://github.com/vanilla/vanilla/blob/master/applications/vanilla/settings/stub.php#L45-L56

    So that would be a way to post a discussion from within a plugin:

        public function addDiscussion() {
            // build discussions
            $DiscussionModel = new DiscussionModel();
    
            $UserID = ...;
            $CategoryID = ....;
    
            $Discussion['Format'] = 'BBCode';
            $Discussion['ForeignID'] = 'yourplugin';
    
            $SQL = Gdn::Database()->SQL();
    
            $Discussion['Name'] = 'This is the title';
            $Discussion['Body'] = 'Discussion text';
            $Discussion['DateInserted'] = date('Y-m-d H:i:s');
            $Discussion['InsertUserID'] = $UserID ;
            $Discussion['CategoryID'] = $CategoryID;
    
            $DiscussionID = $SQL->Insert('Discussion', $Discussion);
            if ($DiscussionID) {                
                $Result[] = "Discussion \"{$Discussion['Name']}\" has been created.\r\n";
                $DiscussionModel->UpdateDiscussionCount($Discussion['CategoryID']);
            }
            return $Result;
        }
    


  • @RJ I disagree that is the best way. for one you are reinventing the wheel not using model methods, also the method itself will need to be secured somehow.

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin

    I never said it is the best way (and I'm not even sure if it is a good one). It is the only way that you can get directly from out of Vanilla itself, so I think it still is some kind of a reference, no matter what we both think about its quality.

    I wouldn't think of the API as the best solution because there is no such thing as the API by now. On top of that, I see no benefit in using that when your problem is more rigid and there is no need for a flexible solution. The only advantage I can think of is that there is no need for code on the server for that - except for the API implementation that isn't a part of Vanilla right now ;)

    The best way to my opinion would be using a function drafted like that:

    public function addDiscussion($Name, $Body, $Secret) {
        $UserID = The_UserID_of_some_user_that_is_created_especially_for_this_and_has_only_discussion_creation_rights;
        $TK = SetTransientKey($UserID, 'superkalifragilistic...')
        $DiscussionModel = new DiscussionModel();
        $DiscussionID = $DiscussionModel->Save(array(
            'Name' => $Name,
            'Body' => $Body,
            'TransientKey' => $Secret,
           // Format, User, etc...
    
        // "reset" the TransientKey so that it cannot be used for anything else (whatsoever)
        $TK = SetTransientKey($UserID)
    

    Using $Secret as the TransientKey is only a pure security but it works the same way as any API call would, only that you do not have to provide a password.

    Don't want to be too harsh to the threadopener, but he has put the question in a way that I think he hasn't done very much with Vanilla by now, correct me if I'm wrong!
    I do not know what he likes to achieve and so I just pointed out the fastest, and surely not the most sophisticated way. But I think sometimes pragmatic solutions are to be preferred.


Sign In or Register to comment.