The correct places for uploaded-by-user layout file and css file

Hi,

I am creating a website which allowed the user to customize their own page by upload their own created layout file or css. This file is going to be php file with its content is html tags. These layout and css files will to be rendered by the controller.

I am wondering whether it is better to put these layout files outside protected folder or must be inside it? If I put it inside protected, is there any danger about that??

Hi junxiong,

Am I missing something, or you suffer for an extreme lack of troubles and asking yourself for a really big problem? :] You want to… [b]allow your user to upload PHP file that you would then parse /b inside your own application? OMG! I wouldn’t be able to figure out a better way to ask someone to destroy your application! :]

How you would like to check if particular piece of PHP file truly contains only layout, not some dangerous code? That could not only burn your whole application but also can be a potential problem to the whole server. And I’m not talking about serious security breaches here. Simple endless loop, that will starve to death your application resources (or maybe whole server, if it is badly configured) is the first thing on a really long list of problems someone may cause, when allowed to upload and run PHP code in your website.

Not mentioning that, if server is badly secured - your PHP application will be open to use file-related functions to open some protocols and streams like HTTP. There isn’t an easier way to attack another website using code uploaded to your website, making it therefore responsible for the whole attack!

Second problem - access rights. I’m a total Linux newbie, but since PHP files are executable ones under Linux server, you have to give them (and folder you will be holding them) and execute right. Changing access rights to newly created folders is a piece of hard job in PHP (if it is allowed by server configuration) and it is also a practice that most administrators and developers wouldn’t find to good. And I can’t even imagine about idea of uploading user PHP files to protected/views folder, that is - allowing them to inject any PHP code directly into your application. That is a total madness. If you would agree on that, the only thing left to do would be to write a long, good visible message saying Hi, I’m the application ready to be destroyed - please upload any PHP code to this field. Forgive me for sarcasm! :]

Not mentioning, aesthetic problem! Badly coded CSS may make your page look like a s**t. You sure, you want it?

Are you really sure, you want to allow your users to upload own layouts? I’m trying to see this not as developer, but as regular user. Who the hell have time playing with understanding Yii’s (your’s) way of organising and implementing layouts? Who will want to play with it. Defining own layouts, themes or styles - a fixed group of fixed looks for your application - and allowing to your users to select one of closed, not user-editable of them instead of allowing to upload one - is far, far enough in my opinion.

If you really, really need to allow your users to upload own layouts, you have to design and develop your own so-called language for describing them and own engine for parsing them. Do not allow your user to upload a pure PHP code or you’re going to get yourself into a real problems!

At the end of this, probably my longest post in this forum I just want to summarise that I hope that I miss-understood you, that you don’t want to do, what I think, you want to do and that my whole talking about is just a piece of useless bulls**t! :]

Cheers,

Trejder

:D

After read this looong post from Trejder

He is totally right ofc, no way you let user run a php file

But as for upload layout I do have a module for it, which is used internally for my employees to do their job faster

I’m actually refactoring it but what it does is the following :

-I download of one these .zip layout from any free templates website and upload the whole .zip to the module

-The module’s script removes any php / script or dangerous code

-The next screen is a window in which you choose which areas are good for content

-These areas will now contain a tag [content] as its content, that will be later, after save, replaced with actual php code

-It is then saved the .php file under /protected/views/layouts/user/{layout-id} and the images in /public/layouts/{layout-id}

It has a html / css editor to edit a layout ( after the edition it again removes any possible harmful code from it )

It also fix the css to point all images url to the right place

Also has a couple more functionalities

if you want I send it to you so you can have a base of how to build yours

Cheers

Gustavo this seems very interesting… would be nice to have it as an extension…

but if you don’t have time to sort the code and make an extension… as you are willing to share this code… perhaps you can post all this code in the section “Tips, snipets and tutorials”… you can attach the code as a ZIP file… and in the post just explain the code a bit… so maybe someone will take the code, make it better… :D

Im glad you liked mdomba

The only problem is that its in portuguese and with no documentation at all … since was done by me and will be only be edited by me, until now

I’ll take a couple hours today soon (since I dont work today and am boring answering questions in the forum hehe) to edit it as a module/extension cleaning up its dependencies of my system, post and let you now

Cheers

I’m all hands and legs after mdomba! Even from your description it seems that you’re hiding there real powerful piece of code! :] I would love to see it as extension or example. Even if I don’t plan to use it, just looking at the code could be very interesting. And for Portuguese… you may get familiar with Yii::t() function! :]

BTW: You’re getting +1 for information on very interesting project, you’re doing, +1 for description that suggest, this is something big and -1 for hiding it from rest of the Yii world and just mentioning… you know… by the occasion… :] In total, this gives us +1! :]

Hehehehe

Its just that I use internally for my company and had never think of sharing before

That because it is specific to my project, a cms system I mentioned in a post a couple days ago, and that I plan to release part of it as a base cms system extension ( not all or my client may choose your company over mine :D )

Altho, Im already adapting it right now to be an extension and soon will post it here

Ps: Its not that pretty since I’ve got too much work to do in a little time, but it works as it should

It will be very nice module/extension.

Working on it

I’ll keep some dependencies and you do the rest of the job

No problem at all, at least for me. Please, post here, if you publish extension, so we could get informed and know, where to look after it, ok?

@Gustavo "[color="#1C2837"][size="2"]Altho, Im already adapting it right now to be an extension and soon (today ) will post it here , in a couple of hours"[/size][/color]

[color="#1C2837"] [/color]

[color="#1C2837"][size="2"]Sounds interesting[/size][/color]

Yea, could not finish it yesterday, but still working on it right now, was in a friends birthday party, and today in a barbecue with friends ( yea I do have a life)

Why would you down vote me ?

Im days working on a system that you benefit you and yet you do it …

I’m still doing it for the community in general and let you know when I finish it

Hej Gustavo! Cheer up, man and cool down! :]

I’m 99% sure that Pardhan wanted to give you +1, and simply missed the button. We had a situation like that here, that someone missed the button and then had to ask mdomba to correct it (Maurizio is [un]official forum moderator). Somehow can’t believe that someone is saying that your work sound interesting and gives you -1. I think it was a mistake.

And even, if this was intentional… Do you really care about these numbers? What then would you do in the situation like I had a few days ago, where there was an incident of spam-bots breaking into our forum, creating fake-accounts and giving -1 from these accounts to randomly selected people? :] I lost fifteen points within a few hours. And you know, what is most funny in this? I got no bloody idea that this happend as I don’t look at my forum profile to often and I don’t look on those +/- near each my post, because I don’t care about this numbers.

Hey man, look! You have 363 posts (1.69 per day), which is very good effect here. You helped a lot of people, your doing a very good stuff, interesting piece of software and you willing to share it with others. That is most important here and that is what really matters on the community. Not some idiotic, statistic numbers.

There was this guy among us, jacmoe. He got very high post rank (3.83 per day and reputation of 43), because he made 539 post within only three months of being in the forum. And he simply got lost. Didn’t showed up since January 9. And the most I’m regret is just his personality, his comments and post. I never actually cared if he has or hasn’t better rank than me.

So, once again, cheer up! :]

Hey Trejder,

Thanks man,

but its not the numbers itself, actually I really dont care about it, I didn’t know what “reputation” means until a couple days ago, I do care about people attitude when I’m helping them … yea I must cool down … heheh you are right … .

Its just that I was using all my weekend free time to make it work ( I actually thought it would take me a couple hours, but I’m working on it like six more )

and then I came to the post to say “Hey, still working on it” and theres some guy actually critiizing me for the work I’m doing for free, to help him and others … that really pisses me off …

Anyway, cooled down and still working on it and soon I’ll have something … It is taking me a little more so I can present something useful because the module I had was useful to my system only, that you might have read how it works in the link I sent … now Im making it more general and useful to most systems …

anyway, thanks for the words Trej

Btw, where the hell is jacmoe ? He vanished

PS: I actually didn’t post anything for 6 months, just learnt searching, or my post rate would be a little higher:)

@Gustavo

Thanks for sharing, overall I think the forum users are extremely helpful and appreciative of other peoples time. There are some very good programmers on this forum so probably best to just focus on that.

doodle

I am very confused why I am targeted for voting someone down when I did +1

????

I made +1 on as much I could. cool down please

I think,

this all just shows that

There is need to make you all Mature and Professional.

It is very simple to says that what if one gives you +1 or -1?

It is same as when I made my first or second(I am not sure) post and one of community member made a sort of joke. The person who answered my question requested me to give -1 for the help either it resolve the issue or not.

I think, we have to do for the community not for points.

If we do so, then what ever there will be results, they will be productive not destructive.

So, its a request to all of the Members of the Community to be Professional.

Thanks

I didn’t said it to anyone in particular, I mean because I’ve seen it a many times (almost nothing in this forum, and I’m sorry if I offend anyone), these kind of attitude when people are doing a voluntary job to help others and you offer a hand and they want your arm

And like I said, I dont care about numbers, I care about peoples attitudes

When I first started to help people I had no idea of the point system of reputation or anything like that, I just do because I like to give back

The down vote was probably because I said

speaking of the cms system I cited

and some people might think that is selfish to think like that, and for those the thing is

I’m working months on this system and why should I give it to you for free so you can just enjoy and profit ?

Like I said, I’ll realease part of it and you do your part of the job, and also, my system will be free of charge to use ,at least the free plan, which include most features, and the people that choose other plans will help to pay my company’s bills

That said, sorry for the confusion and still releasing it soon (now its monday and I need to work a bit in different things, but any free time I’ll be working on the layout module)

PS: Pradhan, you got back the+1 from me