Ticket #391 (closed enhancement: fixed)
PSE tracking, moderation and security
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | PSE |
| Component: | Live server | Keywords: | |
| Cc: | jim, laura, ed | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 1.73 |
Description
This ticket is track time spent on the Tracking, Moderation and Security discussion which has a wiki page here: https://wiki.transitionnetwork.org/Sharing_Engine/Tracking,_Moderation_and_Security
Change History
comment:1 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 0.0 to 0.5
comment:2 Changed 5 years ago by chris
- Milestone changed from Phase 6 to PSE
Milestone changed to PSE
comment:3 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.23
- Total Hours changed from 0.5 to 0.73
I did some more work on this wiki page:
Which of these approaches (or a mixture of them) are we going to adopt for the widget?
- HTML forms
- Javascript write
- Iframes
comment:4 Changed 5 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.75
- Total Hours changed from 0.73 to 1.48
I have done some research on iframes and written it up here:
comment:5 Changed 5 years ago by jim
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.48 to 1.73
Thanks Chris.
structure, iframes & js
Further to your research and documentation, the structure of the widget has been defined here: https://wiki.transitionnetwork.org/Sharing_Engine/Widget_structure
We're going for 'progressive enhancement', so the basic 'view' widget will just be an IFrame showing some information on TN.org. The 'Add your project' button will be a plain link that sends a user to TN.org to add their project. BUT if they have JavaScript? enabled, they'll get a nice modal dialogue containing the widget, so they don't 'leave' the underlying page.
Devices/browsers that don't support iFrames will not be able to use the widgets.
Security & spam
Some basic CAPTCHA will be present on all entry forms, and all content posted though the widget must be moderated before going live. This may change in the beta/full version.
All widgets will send an ID to the site that will check they have permission to post through the widget. This is clearly basic security, and if it's not enough we can look at ajax requests that allow posts from an IP based on the referer HTTP header matching. Again, basic and easily beaten by someone wanting to get in, but then they'll hit the moderation.
Further beefing of security is probably beyond the scope of the alpha version, and might necessitate meatier coding/authentication.
Some initial thoughts have been added to the wiki:
https://wiki.transitionnetwork.org/index.php?title=Sharing_Engine/Tracking,_Moderation_and_Security&oldid=326