Newspublisher-3 without user login step, possible?

Support Extras
1

Hi all!
Another dummy question perhaps. I wonder if it is possible to use the newspublisher form without a login step? I am looking for a solution allowing users to submit info via a web form. Musicians submit detailed profile info with bio, links, etc to apply for participation in some music event. A team of moderators (MODX admins) will review it, fix as necessary and publish on the website as pages. In other words, I hope to:

  1. build a form with the newspublisher that is accessible to everyone.
  2. write user input into a MODX db to create pages (not published)
  3. be able to review/edit these pages in MODX (no need to edit existing documents in the front end; only trusted staff members do edits, not the musicians themselves).
    Please let me know if this is possible and if not, what other method/extension would you recommend.

Also, I built the form. All is looking great only for some reason I can’t get it submitted. There aren’t any validation errors. On submit the page refreshes to show the same form. Nothing is written into the database.

2

Ok let’s get the form working as a first step. If we could see some code, with triple-single ticks (next to the number one key usually) above and below the code, then we could help more.

As for public submission, I believe if you give the pages access to the web context it should be available publicly. You will want to put a bunch of anti-spam methods in there as well, like ask them to put text in and other stuff.

Newpublisher by itself doesn’t I would think care one way or another as to whether someone is logged in…but now I feel that this extra might not necessarily be the right one for the job…and it might need a logged in user so that the post would be connected with the writer

1 Like
3

Thank you, nuan88.

Yes, the code. I call NewsPublisher like this.

[[!NewsPublisher?
	&show=`3,4,5,6,7,8,10,23,11,12,13,14,15,9,20,21,16,17,18,19,29,24,25,26,27,28`
	&required=`3,4,5,6`
	&initdatepicker=`1`
	&initfilebrowser=`1`
	&published_default=`0`
	&parentid=`5`
]]

It’s a big form and it is fully visible on page. The issues I have so far:

  1. The form doesn’t submit.
  2. Select a file (file upload) doesn’t do anything. But maybe I need to call another snippet for it to work? I didn’t quite understand it. I just included &initfilebrowser=1 above and expect it to initiate file browser.

As for security, I would add captcha and that should be enough provided the form has validation.

1 Like
4

I just realized that pagetitle is a mandatory field and a source of the unique page url. Once I included it in the &show list my form submitted fine. Therefore the only question re: form is how to enable file upload. Do I need to call another snippet or including a TV (type file) + &initfilebrowser=1 into the NewsPublisher call is enough?

And then how to make NewsPublisher form public for any (not only logged) website visitor?

1 Like
5

According to this page it should have file browser capabilities

https://docs.modx.com/extras/revo/newspublisher

However according to this newer looking page its designed to check whether the user is logged in or not

https://modx.com/extras/package/newspublisher

6

I guess it would be great to hear from Bob Ray himself. It has principle importance for me to understand whether NewsPublisher can be used in the open without any login procedure.

Next question elFinder - does it require some installation and a separate call or it’s a part of NewsPublisher package? It’s my impression that it is, but…
In my form I have both upload file “file” and “image” type fields - none of them is currently working. Click on “select an image/file” doesn’t do anything.

Also, it would be nice to add captcha indeed. Not sure how do I add it to this form.

1 Like
7

The forums are usually quiet on the weekends, people will be around this week

8

Yes, I would imagine… me going for a swim too :slight_smile: But, yes, this is a question… the form is looking good and working like a charm, hope the snippet can be used in this project.

1 Like
9

Yes let’s see. There might be a setting to allow anonymous users…its weird that a seemingly older version clearly says anyone can submit but the other page clearly says the opposite…

Worse comes to worst, you could probably hack the snippet to avoid the check, but that would be a bit extreme.

The one thing I know, sort of, about the uploading is that its often handled by a bit of js…a ‘dead’ button to me looks either like the js isn’t in place or perhaps its a setting issue. I once had an issue where the js files were blocked (China, don’t ask lol) and that’s exactly what it looked like, page looked fine but buttons do nothing.

It is possible that you need another extra for uploading, that info should be in the documentation. Usually I believe BobRay will put all the functionality in there, Modx has…tools I dunno that can be invoked to do this stuff. So this seems very doubtful to me.

1 Like
10

I was going to ask if you’ve read the tutorial at Bob’s Guides: https://bobsguides.com/newspublisher-tutorial.html – but it seems his site is down temporarily atm. That would be the place to go as soon as it’s back up. I had to follow it step by step to get my form set up with file uploads.

Will add my set up here in case any of it helps. There are three pages, all are hidden and published. This is my NP call on a parent page (called Newspublisher if you left it as it was created).

[[!NewsPublisher? 
    &show=`pagetitle,all-the-rest-of-your-tvs, etc` 
    &initrte=`1` 
    &rtcontent=`1` 
    &parentid=`5`
    &published=`1` 
    &aliastitle=`0`
    &aliasprefix=`pagetitle`
    &aliasdateformat=`-sdHmi`
    &template=`6` 
    &captions=`captions here...` 
    &initfilebrowser=`1` 
    &tinymceinittpl=`mtTinymceInitTpl`
    &postid=`ID of the form page here`
    ]]

There are 2 child pages of this page, npElFinder and npElFinderConnector that NP creates for you.

On npElFinder page:

[[!npElFinderContent]]

On npElFinderConnector page:

[[!npElFinderConnector? 
    &disableCommands=`archive, download, cut, copy, paste, duplicate, edit, open, mkdir, mkfile, netmount, netunmount, rm, rename, quicklook, view` 
    &browserBasePath=`[[++base_path]]images/`   
    &browserBaseURL=`[[++base_url]]images/`
]]

i remember having to play around with the disableCommands property, but don’t remember specifics anymore. This is where the tutorial page would come in handy.

I started my queries about this extra and getting elFinder to work on the old forum here: https://forums.modx.com/thread/104690/help-getting-elfinder-working-with-newspublisher#dis-post-563126

Unfortunately I can’t answer the question about whether the NP form can be submitted by an anonymous user, but I’m hoping the answer is yes because I have a very similar use case coming up in a new project. If not NP, then the FormIt2db hook for Formit extra might work. It can submit from anon and use captcha, and then would be a matter of working out how to turn each record into a page…

2 Likes
11

Sorry for the delay, I’ve been out of the country and the server had a problem while I was gone. The site is back up now.

TBH, I don’t know if NP will work out of the box with anonymous users. You might have to create a Context Access ACL entry for the web context for the anonymous user group using the NewsPublisherEditor Policy.

You should be able to use the file browser to let anonymous users upload files, but they would have to have permission to do so.

There are some issues with allowing anonymous users to do all that. For example, a malicious bot could upload hundreds (or thousands) of files to your site. And if the user could figure out the file locations and they were accessible via the web, your site could be hacked pretty easily.

2 Likes
12

Thank you, for your reply, Bob. I’ve read your tutorial page. In fact this is how I found Newspublisher - through your website. Back to our use case. Newspublisher does exactly what I need - creates a not published page from the user input. And it generates the form which is sweet. Perfect!

Now, it would be fantastic to get it working for anonymous users. I will look into Contexts (though, honestly, I am totally blank in this area).

File upload is not principle for me if too tricky or risky. But it would be nice to have at least image upload possibility.

Lucy, thanks for this hint. Ideally the Newspublisher makes it all happen.

1 Like
13

I wasn’t suggesting that you create a new context, just that you create a Context Access ACL entry for the Anonymous user group, with an authority level of ‘member,’, a Context of ‘web’ (your existing front-end context), and a Policy of NewsPublisherEditor. That should let anonymous users create and save pages in NewsPublisher and upload files.

This is done in System (gear icon) -> Access Control Lists (i.e., ACLs).

  1. On the User Groups & Users tab, right-click on the (anonymous) user group
  2. Select “Update User Group”
  3. Click on “Permissions” at the top and then “Context Access” at the left
  4. Click on “Add Context”
  5. Fill in as follows:

a) Context: Web
b) Minimum Role: Member - 9999
c) Policy: NewsPublisherEditor

Click on the “Save” button.

Be aware that this will let anyone with internet access create unlimited pages and upload unlimited files. Be careful where you let them upload the files to and create a specific directory for the pages. I would move the core above the web root (as described here) and direct the uploaded files to somewhere under the core directory.

You might be able to use a file TV with a Media Source to control the upload location. I think you could also create User Group Settings (update the anonymous user group as described above and do it on the Settings tab), with keys of upload_files, upload_maxsize, and upload_media to control the uploads (see the System Settings with those keys). Those User Group Settings will override the System Settings with the same key.

2 Likes
14

Oh, Bob, thank you for the detailed instruction. I’ve done 1-5 entered a,b,c and saved - but the form page still shows a blank screen with a line of text “You must be logged in to use NewsPublisher”.
Can it be because I first installed Login package, then uninstalled and removed it? I deleted core/cache/* though.

I understand about the security risks and will follow your advice. But first thing first, I’d like to get it working somehow.

1 Like
15

Sorry, I forgot that because of the security issues, the requirement to be logged in is hard-coded into the NewsPublisher snippet on line 221:

$loggedIn = $modx->user->hasSessionContext($modx->context->get('key'));

If you change that line to this, it should allow anonymous users to use NP:

$loggedIn = true;

If you want your change to survive upgrades to NewsPublisher, you can duplicate the snippet, make the change to the duplicate, and use the duplicate snippet instead of ‘NewsPublisher’ in the snippet tag.

2 Likes
16

Sorry me, updated the snippet and have some progress - the page loads however there’s still an error message saying: “Sorry . . . There were one or more problems in producing the form:You do not have permission to create a document”.

Thanks for the duplicate snippet hint!

1 Like
17

You need to give your anonymous users `new_document’ permission or comment out this section of the NewsPublisher class file around line 639 (like this):

/* if (!$this->modx->hasPermission('new_document')) {
      $this->setError($this->modx->lexicon('np_create_permission_denied'));
      return;
} */

Just giving them the permission is a better option because it will survive upgrades.

1 Like
18

If possible, maybe I can clarify:

We need to have NP showing on the public page, that’s web context, which is the standard public context for pages visible to everyone. That’s the steps that BobRay provided. It seems you’ve done that as it appears on the page as you said. That message indicates NP is ready to show

But, in order to handle this requirement, we also need to provide the anonymous user (another standard value, in settings) permissions as well. This is needed to allow anonymous users to post.

Hacking the extra isn’t a huge problem to be honest, but there is the danger of default files being overwritten, due to an update or upgrade.

If you save your code this is a fairly minor problem, because you can just change the files back. It doesn’t happen often in all honesty.

Still, better to avoid hacking

19

Ok, worked but this time it is: “You do not have permission to launch the File Manager”.

I agree, it would be nice to have an option to allow the NP on a public page and allow anonymous users to actually use it. Maybe with all necessary security warnings it’s a valid “feature” to this snippet?

But how do we do it via settings?

1 Like
20

Ok great! You’ve made progress.

Ok, so just as you gave the anonymous group access to NP, now give it access to the File Manager

Frankly access to the public is a rarer use case, as BobRay mentioned it opens up a lot of security issues.

You might want to consider some sort of super simple signup, BobRay has some great extras for that, they could shift the user right into the form without need to check email, click the link, and so on, but would still help a lot from a practical standpoint

1 Like