View previous topic :: View next topic |
Author |
Message |
androidworkz Smarty Rookie
Joined: 08 Aug 2011 Posts: 15
|
Posted: Mon Aug 08, 2011 4:02 pm Post subject: Limit Smarty Functions |
|
|
I searched and found some old threads that addressed this issue but they had links to documentation that no longer exists and I can't find anything in the documentation... maybe I am looking in the wrong place.
Here is the situation. I have created a variety of plugins that I would like to allow to be used within a post and page editor.
For example:
{visitor}Visitor Only Content{/visitor}
{member}Member Only Content{/member}
However, I only want to allow certain Smarty functions to be used within the post/page editor. How do I limit that?
I am using a policy class for the global site permissions but would like to be able to dynamically load a security policy that limits what Smarty functions can be used when I fetch the post/page from the database.
Any ideas? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Mon Aug 08, 2011 4:25 pm Post subject: |
|
|
You can create a template object and set up individal security for that template.
example
Code: |
// create template object
$tpl = $smarty->createTemplate('post.tpl');
// set up security
$tpl->smarty->enableSecurity('TemplateSecurityClass');
// get data
$result = $tpl->fetch();
|
|
|
Back to top |
|
androidworkz Smarty Rookie
Joined: 08 Aug 2011 Posts: 15
|
Posted: Mon Aug 08, 2011 4:44 pm Post subject: |
|
|
Thanks... yes, I understood how to create the security object...
Sorry I wasn't more clear. I want to know how to limit the compiler functions. So far, I have figured out that there isn't a feature to do that... am I wrong?
Looking at a dump of the template object, it also appears that the 'template_functions' property always returns an empty array. My thought was that I might be able to filter that somehow. |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Mon Aug 08, 2011 4:56 pm Post subject: |
|
|
In Smarty 3.1 you have real sandboxing.
There you can fill in the security class $allowed_tags with the list of tags which are lowed or $disabled_tags with the list of tags which are not allowed.
This covers Smarty's internal tags and plugins as well.
Is that what you wanted? |
|
Back to top |
|
androidworkz Smarty Rookie
Joined: 08 Aug 2011 Posts: 15
|
Posted: Mon Aug 08, 2011 5:07 pm Post subject: |
|
|
I wonder if I can use unregisterPlugin() to remove the smarty compiler functions in the security policy constructor. |
|
Back to top |
|
androidworkz Smarty Rookie
Joined: 08 Aug 2011 Posts: 15
|
Posted: Mon Aug 08, 2011 5:08 pm Post subject: |
|
|
U.Tews wrote: | In Smarty 3.1 you have real sandboxing.
There you can fill in the security class $allowed_tags with the list of tags which are lowed or $disabled_tags with the list of tags which are not allowed.
This covers Smarty's internal tags and plugins as well.
Is that what you wanted? |
Yes, this is exactly what I want. |
|
Back to top |
|
androidworkz Smarty Rookie
Joined: 08 Aug 2011 Posts: 15
|
Posted: Mon Aug 08, 2011 5:54 pm Post subject: |
|
|
Ok I got that working... do you expect alot of changes to RC1 yet? I am just wondering if I should strictly avoid include RC1 in a production product... This isn't a product for distribution... so I have total control over what version I am using.
I am not sure if this is a great place to make a feature request, however, their should be an option to strip the tags that are not allowed rather than throwing an exception... just as you do with the PHP tags in the older version. >> Smarty::PHP_REMOVE |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Mon Aug 08, 2011 6:36 pm Post subject: |
|
|
The SVN Smarty_3_1_DEV branch has some bugfixes and improvments compared to RC1.
It's very likely that this will become the official release in a few days. |
|
Back to top |
|
androidworkz Smarty Rookie
Joined: 08 Aug 2011 Posts: 15
|
Posted: Mon Aug 08, 2011 7:58 pm Post subject: |
|
|
U.Tews wrote: | The SVN Smarty_3_1_DEV branch has some bugfixes and improvments compared to RC1.
It's very likely that this will become the official release in a few days. |
Thanks, I have switched to that branch for now. I am still in development anyway. I didn't realize that 3.1 was so close to release. Thanks for all of the work you do. |
|
Back to top |
|
|