Good day all,

I had an idea that I will try to investigate soon enough and I am not entirely sure where to start but, let me explain what I am trying to achieve.

I am using Inline Editing for a number of actions and I would love to extend the inline tag to take one more parameter:

confirmation_required='1'

Code: Select all

<cms:inline_edit 'intro_title' confirmation_required='1' />

Which if set, it would prevent saving the change and send an email to the one making the change(these areas are only available to administrators) with a code and they would have to copy that code and input it to resume the save. This is prompted by a Zero Trust Security Policy that I am implementing and would play a nice role into it.

An even better solution would be if the email would contain a link and the change would only take place if that link is:
• Open from a mobile device;
• The user authenticates to couch from the mobile device and approves the change;
• Link is available only for 5 minutes.

But I do expect that the second option would take quite a bit of coding to do but would allow couch to have a sort of a two factor authentication that can be placed also upon regular login as well as certain changes.

But one step at a time

Did someone experiment with something like this?

[trendoman]

A general thought — one link per one edit (=10 links per 10 edits ) is not practical.

Also an idea — Couch has Drafts feature that seems a right thing to employ. In light of your Admins never having access to actual Couch backend (in another topic you discuss this), the 'Create draft' button is not available. So, I am looking at the following logic: any inline edit triggers creating a draft page in backend and all edits are made in said draft. Once a button 'Save and confirm via device' is clicked inline, the link is generated once and sent to email. Following that link triggers standard Couch 'Update original' procedure if 'is_mobile' variable is set in Couch context (=mobile device detected).

To add more security, we can whitelist a few ip addresses, but this may lock out the person, connecting from another network. I only mention this because ip block can be used in special circumstances. Next, we may cut off bots and, separately, protect the URL dynamically via .htaccess (=one extra password, that can be emailed too).

There are no ready-to-go solutions though. I could supply the mobile detect addon and mentioned security-related addons too, however I did not hear about 'email confirmation' thing yet. This could be a nice feature, that crossed my mind earlier too, but seemed not too easy to make during my lunch time.