Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Limit Smarty Functions

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Smarty 3
View previous topic :: View next topic  
Author Message
androidworkz
Smarty Rookie


Joined: 08 Aug 2011
Posts: 15

PostPosted: Mon Aug 08, 2011 4:02 pm    Post subject: Limit Smarty Functions Reply with quote

I searched and found some old threads that addressed this issue but they had links to documentation that no longer exists and I can't find anything in the documentation... maybe I am looking in the wrong place.

Here is the situation. I have created a variety of plugins that I would like to allow to be used within a post and page editor.

For example:
{visitor}Visitor Only Content{/visitor}
{member}Member Only Content{/member}

However, I only want to allow certain Smarty functions to be used within the post/page editor. How do I limit that?

I am using a policy class for the global site permissions but would like to be able to dynamically load a security policy that limits what Smarty functions can be used when I fetch the post/page from the database.

Any ideas?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Mon Aug 08, 2011 4:25 pm    Post subject: Reply with quote

You can create a template object and set up individal security for that template.

example
Code:

// create template object
$tpl = $smarty->createTemplate('post.tpl');
// set up security
$tpl->smarty->enableSecurity('TemplateSecurityClass');
// get data
$result = $tpl->fetch();
Back to top
View user's profile Send private message
androidworkz
Smarty Rookie


Joined: 08 Aug 2011
Posts: 15

PostPosted: Mon Aug 08, 2011 4:44 pm    Post subject: Reply with quote

Thanks... yes, I understood how to create the security object...

Sorry I wasn't more clear. I want to know how to limit the compiler functions. So far, I have figured out that there isn't a feature to do that... am I wrong?

Looking at a dump of the template object, it also appears that the 'template_functions' property always returns an empty array. My thought was that I might be able to filter that somehow.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Mon Aug 08, 2011 4:56 pm    Post subject: Reply with quote

In Smarty 3.1 you have real sandboxing.

There you can fill in the security class $allowed_tags with the list of tags which are lowed or $disabled_tags with the list of tags which are not allowed.

This covers Smarty's internal tags and plugins as well.

Is that what you wanted?
Back to top
View user's profile Send private message
androidworkz
Smarty Rookie


Joined: 08 Aug 2011
Posts: 15

PostPosted: Mon Aug 08, 2011 5:07 pm    Post subject: Reply with quote

I wonder if I can use unregisterPlugin() to remove the smarty compiler functions in the security policy constructor.
Back to top
View user's profile Send private message
androidworkz
Smarty Rookie


Joined: 08 Aug 2011
Posts: 15

PostPosted: Mon Aug 08, 2011 5:08 pm    Post subject: Reply with quote

U.Tews wrote:
In Smarty 3.1 you have real sandboxing.

There you can fill in the security class $allowed_tags with the list of tags which are lowed or $disabled_tags with the list of tags which are not allowed.

This covers Smarty's internal tags and plugins as well.

Is that what you wanted?


Yes, this is exactly what I want.
Back to top
View user's profile Send private message
androidworkz
Smarty Rookie


Joined: 08 Aug 2011
Posts: 15

PostPosted: Mon Aug 08, 2011 5:54 pm    Post subject: Reply with quote

Ok I got that working... do you expect alot of changes to RC1 yet? I am just wondering if I should strictly avoid include RC1 in a production product... This isn't a product for distribution... so I have total control over what version I am using.

I am not sure if this is a great place to make a feature request, however, their should be an option to strip the tags that are not allowed rather than throwing an exception... just as you do with the PHP tags in the older version. >> Smarty::PHP_REMOVE
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Mon Aug 08, 2011 6:36 pm    Post subject: Reply with quote

The SVN Smarty_3_1_DEV branch has some bugfixes and improvments compared to RC1.

It's very likely that this will become the official release in a few days.
Back to top
View user's profile Send private message
androidworkz
Smarty Rookie


Joined: 08 Aug 2011
Posts: 15

PostPosted: Mon Aug 08, 2011 7:58 pm    Post subject: Reply with quote

U.Tews wrote:
The SVN Smarty_3_1_DEV branch has some bugfixes and improvments compared to RC1.

It's very likely that this will become the official release in a few days.


Thanks, I have switched to that branch for now. I am still in development anyway. I didn't realize that 3.1 was so close to release. Smile Thanks for all of the work you do.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Smarty 3 All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP