New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plugin remote pages #442

Merged
merged 1 commit into from Nov 25, 2018

Conversation

Projects
None yet
2 participants
@bramley
Copy link
Contributor

bramley commented Nov 19, 2018

Allow a plugin to have pages that can be accessed using the remote processing secret.

  1. Add an array of remote pages to the default plugin.
  2. Test that when the secret parameter is provided and the current page is for a plugin that the page is in the array of remote pages provided by the plugin.
  3. set $inRemoteCall accordingly
@michield

This comment has been minimized.

Copy link
Member

michield commented Nov 19, 2018

What kind of thing would you want to use this for? This functionality is for phplist.com to process bounces and the queue, when you register there. We would have to add something else to this service. Unless you plan to invoke it from elsewhere?

@bramley

This comment has been minimized.

Copy link
Contributor

bramley commented Nov 19, 2018

I remember when this was introduced one reason was to stop people including an admin user and password in the URL. That was usually done because of a hosting limitation on a cron job to only fetching a URL. So some people have been using this functionality separately to the phplist hosted remote queue processing.

The idea here is to allow someone with a restricted cron function to be able to run, say, the RSS Feed Plugin get page, through a cron job in their own hosting account, not phplist hosted.

There is no real change to the plugin code to allow that, apart from making the page available as a remote page.

@michield

This comment has been minimized.

Copy link
Member

michield commented Nov 19, 2018

Ah, yes, you're right. Now I remember. When people can create crons that can curl/wget something, but not run a commandline. I wonder if that needs a bit more documentation. It's also a terribly convoluted way to handle this. The main problem with this is when/if this opens attack vectors.

@michield michield merged commit b5d2c50 into phpList:master Nov 25, 2018

@michield

This comment has been minimized.

Copy link
Member

michield commented Nov 25, 2018

@samtuke @xh3n1 it will be good to add some tests for this

@bramley

This comment has been minimized.

Copy link
Contributor

bramley commented Nov 26, 2018

I wonder if that needs a bit more documentation.

There is this page but it is a bit hard to find https://resources.phplist.com/system/remote_processing

@bramley bramley deleted the bramley:remote_pages branch Nov 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment