Transporter Security

We aim to restrict the ability to author new static sites to logged in users of particular web sites.

At the moment the About HTML Plugin does not send and standardised information along with the form post - so we cannot use this for security purposes.

The current About Transport Plugin mechanism sends the following information to the server:

{"text":"","html":"<meta http-equiv=\"Content-Type\" content=\"text/html;charset=UTF-8\"><a href=\"\" date-slug=\"transporter-security\" target=\"\"> </a>","url":""}

In particular this includes information about the web page the transporter is on - as in:


This allows us to restrict access to a transporter to a particular domain or wiki page. however this can easily be spoofed by anyone with access to a programming language on any machine - its just an HTTP POST request.

We are currently looking at server side posting and other security methods. however for now we can rely on wiki's ability to allow a logged in user to author wiki content to provide security.

# Authored JSON

The transporter can read a specific json url, and look for content which authorises the action. As only a particular author has write access to that site we can use this information to provide authorisation.

Specifically we can use the Wiki Checkbox ability of the markdown plugin to author json content on a server that we can check.

Below is an example markdown section:

# Authoring Tools This is an experimental section that enables us to update the web site - - [x] Allow website update

Only a logged in user can change the stored value on the server, and the transporter can simply poll the json url for the page and look for a positive result:

Update website

# Code

The code for checking the wiki page array for a named checkbox value can be found here - gist