by
KK » Fri Apr 11, 2014 2:40 am
I know it's not supported by couch ..
.. or isn't it possible at all ?
It is actually possible.
However, I've chosen not to document it because deletion requires due care to be exercised while implementing. Any mistake and you'll creating vulnerabilities in your site.
To illustrate my point, let us take the very code that you posted above.
Assuming the code did work, it would have left your site wide open to the dreaded CSRF vulnerability.
You can google around for details of CSRF but to describe its effects in brief here - an attacker can trick a logged-in user to (unknowingly) submit the form you coded with any page-id to actually delete the page without even realizing what is happening.
An effective weapon against CSRF is the use of 'nonces' (arbitrary values that cannot be predicted by the attacker).
OK, so with the dangers understood, we can now see how to delete a page from the front-end.
Following is the tag that does it
- Code: Select all
<cms:db_delete masterpage='template name of page to delete' page_id='id of page to delete' />
The
cms:db_delete tag above is part of the frontend-form's suite of tags.
An equivalent of the form that you posted could now become -
- Code: Select all
<cms:if k_is_page >
<cms:set page_to_delete=k_page_id 'global' />
<cms:form method='post' anchor='0' >
<cms:if k_success>
<!-- Delete the specified page -->
<cms:db_delete masterpage=k_template_name page_id=page_to_delete />
<!-- redirect to the list-page -->
<cms:redirect "<cms:link masterpage=k_template_name />" />
</cms:if>
<input type="submit" name="submit" value="Delete this page"/>
</cms:form>
</cms:if>
Please do not use the code above without adequate CSRF protection.Following is how we can put in the required protection in the above form -
- Code: Select all
<cms:if k_is_page >
<cms:set page_to_delete=k_page_id 'global' />
<cms:form method='post' anchor='0' >
<!--
Step 1. Create a string describing the action to create the nonce for.
Make sure that the string also contains the affected page's id.
In this example the string would be "delete_page_277" for deleting page with id 277.
-->
<cms:set my_action="delete_page_<cms:show page_to_delete />" />
<cms:if k_success>
<!-- Step 3. Verify the submitted nonce -->
<cms:validate_nonce my_action />
<!-- If we are here, the nonce was verified and we can execute the action -->
<!-- Delete the specified page -->
<cms:db_delete masterpage=k_template_name page_id=page_to_delete />
<!-- redirect to the list-page -->
<cms:redirect "<cms:link masterpage=k_template_name />" />
</cms:if>
<!--
Step 2. Create a nonce for the action (created in step 1 above ).
This will be submitted with the form.
-->
<cms:input name='nonce' type='hidden' value="<cms:create_nonce my_action />" />
<input type="submit" name="submit" value="Delete this page"/>
</cms:form>
</cms:if>
As you can see, using a nonce requires three steps -
create_nonce,
submit it with form,
finally validate_nonce upon successful form submission.
The code above will delete the page the form is used upon.
Usually, we offer the deletion facility from a page that lists all cloned-pages (as in Couch's admin-panel). The general outline will remain the same but do let us know if you have doubts about anything.
Hope this helps.