Granting Public Write Access to Data Records

lewis · 2022-11-11 10:09:10 UTC

Hi,

I’ve got an Asset Listing that lists off data records. When both the Asset Listing and the data records are unpublished and the Asset Listing is set to list only unpublished data records, this works absolutely fine.

I need to put the Asset Listing live so the public can access it but, when I do, I can’t list off the data records as they’re still unpublished.

I’ve found that, by granting public write access to the unpublished data records, I can get the Asset Listing to list them, even though they’re unpublished. This approach seems to kind of be documented in Squiz’s Permissions screen (clicking on the tool tip next to write access).

What would Squiz recommend? Publishing assets with public write access sounds doubly scary, even though this isn’t sensitive data, but it seems to be the only way to get an Asset Listing to work once it’s live!

Any other ideas?

@Bart

isimmons · 2022-11-21 03:02:24 UTC

Hi Lewis,

I would recommend NOT giving public write access to any assets, though technically the Public User doesn’t have access to the Administration or Edit+ interfaces.

One possible solution is to have a trigger that writes the content to a static file (HTML or JSON, depending on what your listing outputs) whenever the data records are updated. Then you nest the contents of the static file with %globals_asset_file_contents:12345% or similar.

This has the added benefit of being faster to load for your users, but at the cost of taking slightly longer to save any changes to those assets. It’s suited to situations where there are not too many frequent updates.

lewis · 2022-11-25 15:38:33 UTC

Hi @isimmons. Thanks for the update!

It’s a shame that asset listing don’t allow for read only listing to the public when an asset isn’t published. Is this something that’s on the roadmap?

When creating the data records, having the grant option for public read implies that it’s possible but it isn’t.

isimmons · 2022-11-27 23:27:32 UTC

Hi @lewis,

I’m a bit confused… if you want the public/anyone to be able to read/view the assets… why not just make them Live?

What kind of content are we talking about here?

lewis · 2022-11-28 09:19:45 UTC

HI @isimmons. Good point. In this particular case, the records are going to store public email addresses. I don’t intend to make the data records directly accessible - they should only be able to be listed through the Asset Listing page.

isimmons · 2022-11-28 12:22:20 UTC

Hi @lewis,

In that case, I think a trigger to write the result to a static file might be the best you can do, since otherwise asset listings will obey the permissions of the assets being listed. In particular, some permissions are required to display the result of keywords for the listed assets.

I’m fairly certain that is intentional to prevent potentially sensitive metadata from leaking out (which could include personally identifiable information about users).

I think it can be risky in general to list people’s email addresses publicly on a website, since at the very least you can open them up to a lot of spam attacks.

Sorry I couldn’t be of more help. Hope you find a suitable solution.

Cheers,
– iain

lewis · 2022-11-28 15:10:21 UTC

@isimmons no worries, thanks for the suggestion!

I won’t be printing the email addresses on the website (sorry, I didn’t explain that too well in that latest response!). The intention is to have a Trigger that fires say once a day and goes through the ‘lists of subcribers’ i.e. the data records and emails them, essentially creating a subscription service.

I guess my only concern was in understanding just how exposed those data records are if they’re granted Public Write access since they have URLs.

isimmons · 2022-11-28 23:42:02 UTC

@lewis,

Ahh, in that case, you can just use the ‘Ignore Permissions’ option in the trigger actions and it will essentially have the same permissions as a system administrator or root user.

You shouldn’t need the users to have any access to those data records because they will only get the result.

That being said, there isn’t really a good way to ‘loop’ in a trigger, so you can’t really use it like a mail merge, you could only use the asset listing to get the email addresses for the ‘To:’ field and then they would all get the exact same email.

Hope that makes sense.

Cheers,
– iain

lewis · 2022-11-29 09:14:03 UTC

Hey @isimmons. If I remember rightly, there’s a way to provide a comma separated list of email addresses to the Trigger which I’ve done.

The email addresses will be provided by the Asset Listing which combines them into the list and gives it to the Trigger.

Trouble is, the Asset Listing can’t access the data records unless they’re publicly writeable. I’ve tried Ignore Permissions but that doesn’t seem to work. Could be a cached setting from a previous attempt to find a solution I guess.

nicholleiwaoka28 · 2023-01-29 21:53:59 UTC

Can you explain what you want to do?

panditvarun20 · 2023-02-02 05:26:00 UTC

Sorry to posting here

Hi!

I am creating a Contact Us form using the ESI and container templates. Form is coming perfectly on Homepage but when I make any form’s field required and submit without entering the required fields the submit button redirects to URL like …/_resources/esi/contact-us where form is showing error.

I want to that form should show error on the homepage itself where form is embedded.