This question about Topic Markup Language and applications: Answered

Rest api for comment plugin works only inside foswiki?

Rest api for comment plugin works only inside foswiki?

I used the following form in a Sandbox topic to insert a comment on a particular topic under another web, and worked ok.


<form method="post" action="%SCRIPTURL{restauth}%/CommentPlugin/comment" > 
<input type="submit" value="I Approve" /> 
<input type="hidden" name="topic" value="Sym/FolioNum111111" /> 
<input type="hidden" name="redirectto" value="Sym/FolioNum111111" /> 
<input type="hidden" name="comment_action" value="save" /> 
<input type="hidden" name="comment_type" value="below" /> 
<input type="hidden" name="comment" value="I Apro,kjg ve" /> 
</form> 

Later, I made an html file outside foswiki with the same content, except I changed
 %SCRIPTURL{restauth}%/CommentPlugin/comment ----->  http://192.168.1.10/foswiki/bin/restauth/CommentPlugin/comment 

it did not work

My guess is that, unlike normal rest apis, the CommentPlugin rest api only work inside foswiki, and is not possible to integrate this api with the rest of applications out there. The other option is that I am not contructing the form correctly.

-- AntonioVega - 06 Apr 2020

One thing to check is whether CommentPlugin is configured to allow anonymous comments since a comment from outside the wiki would be a non-authenticated user. See {Plugins}{CommentPlugin}{GuestCanComment} in configure. You might also confirm that you have Comment Plugin > Custom Access Controls properly configured to allow WikiGuest user to comment. Not 100% sure this will address your issue (I didn't test it) but it's a place to start.

-- LynnwoodBrown - 06 Apr 2020

My CommentPlugin is configured to allow anonymous comment, also I mantained the default ( CHANGE ) for {Plugins}{CommentPlugin}{RequiredForSave}. I verfied that WikiGuest can add comments.
I also viewed "the page source" (the html code behind the rendered foswiki page) and found the following
html source with a valid Wikiuser
<form method="post" action="http://192.168.1.10/foswiki/bin/restauth/CommentPlugin/comment"  onsubmit="StrikeOne.submit(this)">
<input type='hidden' name='validation_key' value='?233ba153db5ddbf55ccb5128ad9bc31b' />
....

<form method="post" action="http://192.168.1.10/foswiki/bin/restauth/CommentPlugin/comment"  onsubmit="StrikeOne.submit(this)">
<input type='hidden' name='validation_key' value='?48d94be916199eb32e712de1900ab98b' /> 
...

=====================================================================================================
html source with a WikiGuest user
<form method="post" action="http://192.168.1.10/foswiki/bin/restauth/CommentPlugin/comment"  onsubmit="StrikeOne.submit(this)">
<input type='hidden' name='validation_key' value='?bc49315d1b460425b6ae16f2c54d6387' /> 
....

<form method="post" action="http://192.168.1.10/foswiki/bin/restauth/CommentPlugin/comment"  onsubmit="StrikeOne.submit(this)">
<input type='hidden' name='validation_key' value='?2c47db119ac79ae914258462884671c8' /> 
...

As We can see, there is an additional hidden input called "validation_key" with a value that changes everytime I reload the page. It does not matter whether if it is a valid wikiuser o a WikiGuest, the number will allways change. My guess is that the the pluging generates an ephemeral hidden input key value, if after submit, the returned value of this key matches the one cached on foswiki, the comment will be saved.

If such a hidden key is needed, to allow other apps to add comments, I will suggest to add a field on the configure {Plugins}{CommentPlugin}{ValidAnonTokens} ?48d94be916199eb32e712de1900ab89a89ab, ?2c47db119ac79ae914258462884617cc8 also the form should need an additional hidden input.
 
<input type='hidden' name='validation_key' value='?2c47db119ac79ae914258462884617cc8' /> 
<input type='hidden' name='caller' value='my_app' /> 

the comment should be signed by WikiGuest.my_app

-- AntonioVega - 07 Apr 2020

ok. That relates to Foswiki's Cross-site request forgery (CSRF) feature which first makes a call to the server via ajax to validate the form and then submits the form. Turning off {Validation}{Method} in configure would resolve the issue but probably not a good idea. You might try including the relevant js files in your static html and it might work. At the very least, you'd probably need to include jquery and the foswiki.js file (which I believe contains the strikeone validation framework). Let us know how it goes.

-- LynnwoodBrown - 07 Apr 2020

I verified, {Validation}{Method} options are strikeone , embedded and none , if set to none, then the Comment Plugin rest api will work from a form such as the one below. But I will coincide that is not a good idea if we want to avoid CSRF. I would say that a new config variable {Validation}{Tokens} ?48d94be916199eb32e712de1900ab89a89ab, ?2c47db119ac79ae914258462884617cc8 will allow the functionality of rest api calls from non foswiki generated forms, by including a hidden input tag with a fixed validation_key that correspond to one of the ones listed on {Validation}{Tokens} . Then each Plugin can have a switch whether to use validation by token or current validation method . I will leave the Needs followup in Task status just in case the propossal merits attention, if not, I will check later to change the status to Task closed
<html><body>
<form method="post" action="http://192.168.x.y/foswiki/bin/restauth/CommentPlugin/comment" > 
<input type="submit" value="I Approve" /> 
<input type="hidden" name="topic" value="Sandbox/SandboxTopic" /> 
<input type="hidden" name="redirectto" value="Sandbox/SandboxTopic" /> 
<input type="hidden" name="comment_action" value="save" /> 
<input type="hidden" name="comment_type" value="below" /> 
<input type="hidden" name="comment" value="Some text to be included as a comment...." /> 
</form> 
</body>
</html>

-- AntonioVega - 09 Apr 2020

Antonio - did you ever try my second suggestion of including the js files that execute strikeone in your external html file?

-- LynnwoodBrown - 11 Apr 2020

No, I did not, But i'll give It a try

-- AntonioVega - 12 Apr 2020

I tried agin by including the only two js scripts on the Comment Plugin. It did not work.
<html><body>
<script src="/comment.js"></script> 
<script src="/comment.uncompressed.js"></script> 
<form method="post" action="http://192.168.x.y/foswiki/bin/restauth/CommentPlugin/comment" > 
<input type="submit" value="I Approve" /> 
<input type="hidden" name="topic" value="Sandbox/SandboxTopic" /> 
<input type="hidden" name="redirectto" value="Sandbox/SandboxTopic" /> 
<input type="hidden" name="comment_action" value="save" /> 
<input type="hidden" name="comment_type" value="below" /> 
<input type="hidden" name="comment" value="Some text to be included as a comment...." /> 
</form> 
</body>
</html>

-- AntonioVega - 13 Apr 2020

I was able to accomplish this using the general strategy I described above. I did have to do some additional tricks to make it properly work with the strikeone setup. Here's the details of what I did:
  1. Created a topic (in this cased called "Sandbox.TestExternalComment") that contained my comment form:
    %STARTSECTION{"commentform"}%
    <form method="post" action="%SCRIPTURL{rest}%/CommentPlugin/comment" enctype="application/x-www-form-urlencoded" > 
    <input type="hidden" name="topic"  value="%WEB%.%TOPIC%" />  
    <input type="hidden" name="redirectto" value="https://mydomain.com/comment.html" /> 
    <input type="hidden" name="comment_action" value="save" /> 
    <input type="hidden" name="comment_type" value="below" /> 
    <input type="text" name="comment" size="40" placeholder="Enter your comment here." /> 
    <input type="submit" value="I Approve" /> 
    </form> 
    %ENDSECTION{"commentform"}%
    
       * Local ALLOWTOPICCHANGE = *
       * Local ALLOWTOPICCOMMENT = *
    
    </div>
  2. Next, I set up my static html page as follows:
    <html>
    <head>
    <meta charset="utf-8" />
    <meta http-equiv="x-ua-compatible" content="ie=edge">
    <script src="/pub/System/JQueryPlugin/jquery-2.2.4.js"></script> 
    <script src="/pub/System/JQueryPlugin/plugins/livequery/jquery.livequery.js"></script> 
    <script src="/pub/System/JQueryPlugin/plugins/foswiki/jquery.foswiki.js"></script> 
    <script src="/pub/System/CommentPlugin/comment.js"></script> 
    <script src="/pub/System/JavascriptFiles/foswikiPref.js"></script> 
    <script src="/pub/System/JavascriptFiles/strikeone.js"></script> 
    <script>
    jQuery(function($) {
      $("#commentBlk").load("https://mydomain.com/Sandbox/TestExternalComment?skin=text;section=commentform;");
    });
    </script>
    </head>
    <body>
    
    <div id='commentBlk'>
    </div>
    </body>
    </html>
    
    
  3. Uploaded my html file to my server. In this case, I named the file comment.html so that the redirectto parameter works correctly.

A couple of notes on how/why this works:
  • The big "trick" is that I'm loading the form via ajax so that the stikeone "validation_key" is properly generated.
  • I included all required js files in my static html file. I'm not 100% sure all of these were required but it worked and I didn't go back to see which ones I could eliminate.
  • You'll notice that I explicitly set the permissions for the topic where the comments are stored to allow comments by anyone without opening up my entire site or even the web. Obviously, there's still some risk leaving even one topic open to edits by WikiGuest but at least this minimises that risk.

Hope this helps!

-- LynnwoodBrown - 13 Apr 2020

I verified your set up, and it works. It is not exactly the funcionality I was looking for but it is pretty close. I need to make some arrangement with the integration I was planning to do . But seem like it will be possible. Thank you LynnwoodBrown

-- AntonioVega - 14 Apr 2020
 

QuestionForm edit

Subject Topic Markup Language and applications
Extension CommentPlugin
Version Foswiki 2.1.6
Status Answered
Related Topics
Topic revision: r11 - 14 Apr 2020, AntonioVega
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy