NeoCMS Security - First NeoCMS question is mine!
Quote from noyzen on December 21, 2021, 4:59 pmHi Luis, @luishp thanks for great job on new version. (i love that NeoBackgrounds plugin too much)
Question is about NeoCMS, i mean if someone use Chrome console and resend let's say neoCmsAddUser function lot of time,
Can he make a lot of users and admin users? can he spam the site created with NeoCMS?
Can you tell me about overall security of new plugin please?
Thanks!
Hi Luis, @luishp thanks for great job on new version. (i love that NeoBackgrounds plugin too much)
Question is about NeoCMS, i mean if someone use Chrome console and resend let's say neoCmsAddUser function lot of time,
Can he make a lot of users and admin users? can he spam the site created with NeoCMS?
Can you tell me about overall security of new plugin please?
Thanks!
Quote from luishp on December 21, 2021, 5:57 pm@noyzen I was expecting this question :)
By default neoCms will not allow any operation.
Possibilities:
- You can create public Collections to allow access to everyone (I suggest read only access).
- Create a private Collection and an API token on the backend. Then assign the Token the desired permissions.
Each neoCms plugin command has its own endpoint (see command descriptions)
Just add the desired enpoints to the Token in the backend.
Then use neoCmsSetToken.- Create users groups on the backend and then add users to the group.
Each group has its own permissions.
Each user have his own API key.
Once the user has logged-in the API token (if any) is replaced with the user API key.So
- A general token with login permission is used to allow user login (or user registration, if you want to allow it, under a safe user group)
- Once the user is logged in, the Api Token is replaced automatically with a personal API Key that is used in subsequent calls to each neoCms command. The API key has its own access permissions (defined in the user group or even by user).
- Once the user is logged out the permission token is set to blank.
My suggestion is start with simple "read only" content until you are familiarized with the backend permissions system.
I will be adding additional information.Regards.
@noyzen I was expecting this question :)
By default neoCms will not allow any operation.
Possibilities:
- You can create public Collections to allow access to everyone (I suggest read only access).
- Create a private Collection and an API token on the backend. Then assign the Token the desired permissions.
Each neoCms plugin command has its own endpoint (see command descriptions)
Just add the desired enpoints to the Token in the backend.
Then use neoCmsSetToken. - Create users groups on the backend and then add users to the group.
Each group has its own permissions.
Each user have his own API key.
Once the user has logged-in the API token (if any) is replaced with the user API key.
So
- A general token with login permission is used to allow user login (or user registration, if you want to allow it, under a safe user group)
- Once the user is logged in, the Api Token is replaced automatically with a personal API Key that is used in subsequent calls to each neoCms command. The API key has its own access permissions (defined in the user group or even by user).
- Once the user is logged out the permission token is set to blank.
My suggestion is start with simple "read only" content until you are familiarized with the backend permissions system.
I will be adding additional information.
Regards.
Quote from noyzen on December 21, 2021, 6:50 pmThanks a lot for detailed answer.
By the way, i can't install NeoCMS on my host Chrome gives error:
This page isn’t working
mysite.ir is currently unable to handle this request.
HTTP ERROR 500
I uploaded zip file on host, extracted and tried to go to http://mysite/cms/install/ path.
I have read Help also, there is no installation info for NeoCMS.
Can you explain how to Install NeoCMS Please?
Thanks a lot for detailed answer.
By the way, i can't install NeoCMS on my host Chrome gives error:
This page isn’t working
mysite.ir is currently unable to handle this request.
HTTP ERROR 500
I uploaded zip file on host, extracted and tried to go to http://mysite/cms/install/ path.
I have read Help also, there is no installation info for NeoCMS.
Can you explain how to Install NeoCMS Please?
Quote from luishp on December 21, 2021, 9:17 pm@noyzen, it's as easy as extract into a folder. But your hosting must have these prerrequisites:
- PHP >= 7.1
- PDO with SQLite support (or MongoDB)
- GD, Zip extension enabled
- Apache (with mod_rewrite enabled) or nginx
More information here:
https://getcockpit.com/documentation/getting-started/introductionI have moved this thread to the correct furum section:
https://visualneo.com/forum/forum/neocms/You can test it locally using neoPhp Server.
Regards.
@noyzen, it's as easy as extract into a folder. But your hosting must have these prerrequisites:
- PHP >= 7.1
- PDO with SQLite support (or MongoDB)
- GD, Zip extension enabled
- Apache (with mod_rewrite enabled) or nginx
More information here:
https://getcockpit.com/documentation/getting-started/introduction
I have moved this thread to the correct furum section:
https://visualneo.com/forum/forum/neocms/
You can test it locally using neoPhp Server.
Regards.
Quote from noyzen on December 23, 2021, 10:58 amThanks Luis, still have no luck installing CMS on host :(
Also tried a local wamp server and can't do...
All plugins and requirments are installed and active on hosts.
I wonder if other people in forum installed it and can help me out :D
Regards.
Thanks Luis, still have no luck installing CMS on host :(
Also tried a local wamp server and can't do...
All plugins and requirments are installed and active on hosts.
I wonder if other people in forum installed it and can help me out :D
Regards.
Quote from luishp on December 23, 2021, 12:49 pm@noyzen please take a look at the attached video.
This is neoPhp php.ini configuration:
;This configuration file will be copied to each project everytime the server starts. ;and will be removed automatically everytime the server stops. ;Usually it's not necessary to edit it. date.timezone="Europe/Madrid" ; Maximum allowed size for uploaded files. upload_max_filesize = 80M ; Must be greater than or equal to upload_max_filesize post_max_size = 80M ; Enable ODBC extension module extension=./php/ext/php_odbc.dll extension=./php/ext/php_pdo_odbc.dll ; Enable SQLServer extension module extension=./php/ext/php_sqlsrv_74_nts_x86.dll extension=./php/ext/php_pdo_sqlsrv_74_nts_x86.dll ; Enable sqlite extension module extension=./php/ext/php_pdo_sqlite.dll extension=./php/ext/php_sqlite.dll ; Enable mysql extension module extension=./php/ext/php_pdo_mysql.dll extension=./php/ext/php_mysql.dll ;Enable GD extension extension=./php/ext/php_gd2.dll ;Enable mbstring extension extension=./php/ext/php_mbstring.dll ;Enable cURL extension extension=./php/ext/php_curl.dll allow_url_fopen = On allow_url_include = Off asp_tags = Off display_errors = On enable_dl = On file_uploads = On max_execution_time = 120 max_input_time = 60 max_input_vars = 10000 memory_limit = 128M session.gc_maxlifetime = 1440 zlib.output_compression = OffRegards
@noyzen please take a look at the attached video.
This is neoPhp php.ini configuration:
;This configuration file will be copied to each project everytime the server starts. ;and will be removed automatically everytime the server stops. ;Usually it's not necessary to edit it. date.timezone="Europe/Madrid" ; Maximum allowed size for uploaded files. upload_max_filesize = 80M ; Must be greater than or equal to upload_max_filesize post_max_size = 80M ; Enable ODBC extension module extension=./php/ext/php_odbc.dll extension=./php/ext/php_pdo_odbc.dll ; Enable SQLServer extension module extension=./php/ext/php_sqlsrv_74_nts_x86.dll extension=./php/ext/php_pdo_sqlsrv_74_nts_x86.dll ; Enable sqlite extension module extension=./php/ext/php_pdo_sqlite.dll extension=./php/ext/php_sqlite.dll ; Enable mysql extension module extension=./php/ext/php_pdo_mysql.dll extension=./php/ext/php_mysql.dll ;Enable GD extension extension=./php/ext/php_gd2.dll ;Enable mbstring extension extension=./php/ext/php_mbstring.dll ;Enable cURL extension extension=./php/ext/php_curl.dll allow_url_fopen = On allow_url_include = Off asp_tags = Off display_errors = On enable_dl = On file_uploads = On max_execution_time = 120 max_input_time = 60 max_input_vars = 10000 memory_limit = 128M session.gc_maxlifetime = 1440 zlib.output_compression = Off
Regards
Uploaded files:- You need to login to have access to uploads.
Quote from noyzen on December 23, 2021, 1:02 pmThanks Luis!
my cousin is beside me i just showed him the video and said:
look the developer himself in person help me with the problem, thats VisualNEO :DDi will test and give feedback.
Regards.
Thanks Luis!
my cousin is beside me i just showed him the video and said:
look the developer himself in person help me with the problem, thats VisualNEO :DD
i will test and give feedback.
Regards.
Quote from noyzen on December 23, 2021, 1:46 pmUPDATE:
ok i followed your guide and it worked.
sorry for noobie question, this is all offline and local. how can i put my customized app made with neoCMS to my host?
what is next step?
UPDATE:
ok i followed your guide and it worked.
sorry for noobie question, this is all offline and local. how can i put my customized app made with neoCMS to my host?
what is next step?
Quote from luishp on December 23, 2021, 1:55 pmsorry for noobie question, this is all offline and local. how can i put my customized app made with neoCMS to my host?
@noyzen just upload it to your server :)
But be sure all the requirements are fine.Note that you can have neoCms installed in a public URL and a local app, or remote one, accesing the content. It allows CORS by default.
Even a Desktop app can get the content.Please check the included sample apps.
They get the content from https://cms.sinlios.eu
User: author
Pass: cmsauthorRegards.
sorry for noobie question, this is all offline and local. how can i put my customized app made with neoCMS to my host?
@noyzen just upload it to your server :)
But be sure all the requirements are fine.
Note that you can have neoCms installed in a public URL and a local app, or remote one, accesing the content. It allows CORS by default.
Even a Desktop app can get the content.
Please check the included sample apps.
They get the content from https://cms.sinlios.eu
User: author
Pass: cmsauthor
Regards.