Story #44913

RESTful NodeController for easy comment creation

Added by Robert Lemke about 6 years ago. Updated almost 6 years ago.

Status:
On Hold
Priority:
Should have
Assignee:
-
Category:
Content Management
Target version:
-
Start date:
Due date:
% Done:

100%


Description

As a site integrator I want a RESTful NodeController in order to create blog post comments by just coding a Fluid-based form.

DoD
- POST request on ...../blog/posts/my-blog-post/comments creates a new comment
- properties are validated (HTML not allowed in post comment (Note: we don't support markup at all -> htmlspecialchars) email address required)
- on validation error the user is returned to the original page with the form values still filled in and an error message displayed
- NodeController also handles other types of content, for example Page


Subtasks

Task #44918: NodeTemplateConverterResolved

Task #44917: Add support for transient nodesResolvedBastian Waidelich


Related issues

Related to Base Distribution - Work Package #45088: Improved REST support Resolved 2011-05-29 2013-04-13

History

#1 Updated by Robert Lemke about 6 years ago

  • Subject changed from As site integrator I want a RESTful NodeController in order to create comments to RESTful NodeController for easy comment creation
  • translation missing: en.field_position deleted (1)
  • translation missing: en.field_position set to 1

#2 Updated by Robert Lemke about 6 years ago

  • Category set to Content Management
  • Assignee set to Bastian Waidelich

#3 Updated by Bastian Waidelich about 6 years ago

  • Status changed from New to Accepted

#4 Updated by Bastian Waidelich almost 6 years ago

FYI: Technically this is quite easy to achieve with a new action in Frontend\NodeController:

public function createAction(PersistentNodeInterface $parentNode, NodeTemplate $newNode) {
    $createdNode = $parentNode->createNodeFromTemplate($newNode);
    $this->redirect('show', NULL, NULL, array('node' => $createdNode));
}

In conjunction with #27117 this should already work.

The problem: Security!
Obviously not Everybody should be able to create nodes. Also we can't restrict this to authenticated users (this would not work for the described scenario where anonymous users are allowed to post comments).

For this to be implemented we probably need some kind of "node restrictions" (e.g. nodes of type X can only be inserted below some/path by role Y).
At some point we need that anyways for Neos..

#5 Updated by Adrian Föder almost 6 years ago

at least

nodes of type X

could be implemented with something like a (todo) instanceof runtime constraint operator which would be useful to have anyways.

Or, the runtime constraint handling will have a new feature where arguments must satisfy particular, more fine grained checks, just like

resources:
  methods:
    Foo_Bar_FooBar: 'method(Foo\Bar->SomeAction(product.owner = current.securityContext.party && newNode instanceof Acme\Foobar\Node\CommentTemplate && parentNode satisfies Acme\Foobar\Constraint\CommentNodeCreationConstraint))

the product.owner part is what we already know; the instanceof would be the mentioned operator which checks for the argument being instanceof the given class/interface (just like within); and the last one would be something like the mentioned user-definable constraint satisfaction.

#6 Updated by Bastian Waidelich almost 6 years ago

  • Target version deleted (Sprint February 2013)

Adrian Föder wrote:

nodes of type X

could be implemented with something like a (todo) instanceof runtime constraint operator which would be useful to have anyways.

Right, we need those node constraints anyways (e.g. to have something like: "only allow Content Elements XY.. in section Z"). But we won't have that in 1.0 unfortunately..

BTW: This is not only about authenticated users: If you want to have comment nodes for example (as Robert uses it in his blog) we want to allow Everybody to create *Comment*Nodes underneath a specified path

#7 Updated by Bastian Waidelich almost 6 years ago

  • Status changed from Accepted to On Hold
  • Assignee deleted (Bastian Waidelich)

Set the status to "on hold" according to the missing constraint features mentioned above

Also available in: Atom PDF