Loading...
 
Features / Usability

Features / Usability


How to use "Contact us" feature? Activated - and now?

posts: 55

Hi Bernard Sfez / Tiki Specialist,
hi Jonny Bradley,

I am understanding the following:

  • My error "Invalid Parameter: itemId" does not actually mean that there is a parameter inserted wrongly, but this parameter "itemId" is actually missing.
  • The missing parameter can be passed by URL.
  • During sending of the form, a custom URL can be defined. In the given URL the string "itemId" will be replaced with "itemId=xx", where xx is the new/current itemId.
  • {trackeritemfield}, according to documentation ("If it itemId is not specified and the url used to access the page has a itemId parameter, the value of itemId parameter will be used."), then automatically adds this parameter from URL, if present.

So, if I don't want any behavior changes other than to add "itemId" to the URL for this to work, I take the URL I get when sending the form

https://my.url/tiki-index.php?page=Impressum&ok=y&iTRACKER=1#wikiplugin_tracker1

add "itemId", strip protocol and domain and set URL parameter like so:

url="tiki-index.php?page=Impressum&ok=y&iTRACKER=1#wikiplugin_tracker1&itemId"

After testing this: The new URL seems to work - nothing changes except that itemId is added to the URL, including the actual Id value. Nevertheless, the error is the same. Seems like the URL param does not get automatically used in {trackeritemfield}.

Second test: I moved the parameter "ItemId" from the end of the parameter list to the start (and parameterized pagename for robustness) using

url="tiki-index.php?itemId&page=&ok=y&iTRACKER=1#wikiplugin_tracker1"

Voilà - it works as expected! But only if logged in as an admin. If I try as anonymous, on the confirmation page I get an error "You don't have permission to edit an Item" (Translated from german error message). The Item gets added. Then I don't want wo edit it, I just want to view my own item. If I don't have permission to view other items, this prevents the exploit that can show other items when you enter the itemId in the URL manually... or is there another way to prevent this?

Is there anything in the URL I pass, that can be further parameterized - as I did with the page name?

posts: 126809 United Kingdom

Well done FootlooseTraveller, i guess some improvements (or a new version of) the contact form profile seem to be needed :-)

FootlooseTraveller wrote:
Voilà - it works as expected! But only if logged in as an admin. If I try as anonymous, on the confirmation page I get an error "You don't have permission to edit an Item" (Translated from german error message). The Item gets added. Then I don't want wo edit it, I just want to view my own item. If I don't have permission to view other items, this prevents the exploit that can show other items when you enter the itemId in the URL manually... or is there another way to prevent this?


There are some settings in Tracker properties => Permissions called "User can see his own items" and "Item creator can modify his items" but these depend on having a UserSelector field which "claims" ownership of the items a user creates... however this is tricky for anonymous users. I think there's a way of doing from the user's IP, but that's never going to be 100% reliable.

Ah, just read your post again, you don't want them to edit right? Normally you would just send them to a different "thank you" page, but i guess you could use the {PARAM} plugin to only add the {TRACKER} plugin if itemId is not present on the URL...

Does that get you to the next step? Hope so!

posts: 55

Hi Jonny Bradley,

thanks again for the fast response!

So you think that the {TRACKER} plugin tries to edit them in the second call? I'll look into that. Thanks for the idea! I'll be back after fiddling around with it. ;-)

p.s. How do you escape "{TRACKER}"? I do with ~np~, but yours looks better. ;-)

posts: 55

Hi Jonny Bradley,

thanks again for the right hint! Now it works as expected, in every detail.

{PARAM(name=ok value=y)}
{REMARKSBOX(type="confirm" title="Nachricht erfolgreich versendet")}Antwortadresse: {trackeritemfield trackerId="2" fieldId="6"}

Nachricht: {trackeritemfield trackerId="2" fieldId="7"}{REMARKSBOX}
{ELSE}
{TRACKER(trackerId="2" fields="6:7" action="Senden" showtitle="y" showdesc="y" url="tiki-index.php?itemId&page=&ok=y" email="6|FootlooseTraveller|wiki:Kontakt EMail tpl")}{TRACKER}
{PARAM}

I have an idea how to solve the issue that anyone can guess an itemId and get older messages to show up: After showing that the answer is successfully sent, I would like to just delete the item. At this moment, it is not needed anymore. I am completely satisfied to have the email sent to me.

Is there a plugin that just deletes a tracker item when the wiki source code is parsed? I would like something like:

{PARAM(name=ok value=y)}
{REMARKSBOX(type="confirm" title="Nachricht erfolgreich versendet")}Antwortadresse: {trackeritemfield trackerId="2" fieldId="6"}

Nachricht: {trackeritemfield trackerId="2" fieldId="7"}{REMARKSBOX}
{Delete tracker item itemId} command wanted here
{ELSE}
{TRACKER(trackerId="2" fields="6:7" action="Senden" showtitle="y" showdesc="y" url="tiki-index.php?itemId&page=&ok=y" email="6|FootlooseTraveller|wiki:Kontakt EMail tpl")}{TRACKER}
{PARAM}

I just made a new post for this question.

posts: 126809 United Kingdom
FootlooseTraveller wrote:
I have an idea how to solve the issue that anyone can guess an itemId and get older messages to show up: After showing that the answer is successfully sent, I would like to just delete the item. At this moment, it is not needed anymore. I am completely satisfied to have the email sent to me.


Hi FLT 😬

As you say you could use a {LISTEXECUTE} plugin with a cron job to remove the items, but usually i find they are a good backup and don't take up much space.

You can (and should) set the permissions on that tracker so Anonymous (or whoever) can create items only, keeping tiki_p_view_trackers for admins only, and then use the "User can see his own items" option with an owner user field if suitable.

jb