mahara-contributors team mailing list archive

Thread
Date

[Bug 1073625] Re: Add additional html interface

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1073625@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Aug 2013 05:25:23 -0000
Reply-to: Bug 1073625 <1073625@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Actually it turns out that you can already override templates via the
/local directory. See https://bugs.launchpad.net/mahara/+bug/898437

Of course, that feature doesn't make it easy to add a snippet to the top
of every page. You would have to:

1. Know about the almost completely undocumented feature ;)
2. Create the following files: local/theme/templates/header.tpl, local/theme/templates/header/head.tpl, and/or local/theme/templates/footer.tpl
3. And even then, you'd have problems if you're using a custom theme that overrides these.

So I still like the idea of adding some additional HTML snippet feature
to the /local directory to simplify this process.

Some other folks here at Catalyst have also floated the idea of adding a
feature that simply puts the Google Analytics snippet itself, into the
header, if the user activates a certain config setting. I would not be
opposed to that, but I fear that we at Catalyst would fall behind on
updating it, just as we tend to do with the iframe filters. So, it would
be better as a plugin system to allow for community contributors to
create and maintain tracking snippet plugins.

Anyway, at this point I'm going to pursue the following:

1. I will revert the additional HTML UI feature because, as stated in my earlier note, it can't be effective and secure at the same time.
2. I will add an easier way to put the snippet into the page via some mechanism under the /local directory (or perhaps even via config.php? That's a little less obscure.)

It is worth noting that Moodle has a feature that is exactly like this,
and they don't consider it a security risk. (
http://docs.moodle.org/25/en/Header_and_footer ). That's because
Moodle's security standard is, in general, to assume that having admin
user web access means you also have already compromised every other
aspect of the system. Mahara, on the other hand, has been arriving at a
security standard of assuming that the admin web account is easier for
attackers to compromise than other aspects of the system, such as the
database and the web server file system, because it can be compromised
by browser and OS vulnerabilities. So, we try to avoid introducing
features that would allow an escalation of privileges via the admin
account. (This feature isn't exactly escalating privileges in the
strictest sense... but in order for it to work, we'd have to allow the
user to insert Javascript via the web UI, which is something we don't
allow anywhere else in Mahara; and per our the-admin-is-insecure
security policy, we can't allow it via the admin user either.)

Cheers,
Aaron

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1073625

Title:
Add additional html interface

Status in Mahara ePortfolio:
In Progress

Bug description:
We need something similar to Moodle
.../admin/settings.php?section=additionalhtml, so that if people need
to add, say google analytics code, there would not be required to
modify theme template.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1073625/+subscriptions

References

[Bug 1073625] [NEW] Add additional html interface
From: Ruslan Kabalin, 2012-10-31