admin ability to edit templates via backend

[grantp22]

Hi,

 

I need some advice on how to go about allowing administrators with dev skills the ability to edit my existing templates I have created for them by logging into the backend and editing the pages online or even adding their own custom templates and switching them!

 

I can write the script for doing this by allowing them to write files to a folder that has permissions and simply allowing them to set a new path to that file which will get loaded into the main template via database array variables in place of static include paths!

 

My template could have the following script to include their templates:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Custom templates</title>
</head>
<body bgcolor="#001e00">
  <div class="container">
    <?php // This will be where the header gets inserted
      include('thenewtemplate.php');
    ?>
    <div class="main">
      // someother static divs with contents in here
    </div>

    <?php // This will be where the footer gets inserted
      include('thenewtemplate.php');
    ?>

    etc, etc...

 

So my question is what would be the best approach, because obviously allowing permissions to write to templates or create new ones with potentially dangerous scripts can obviously be witten out to the template to be loaded later, if an unauthorised person ever managed to get access to my backend

 

The backend is pretty secure but I wouldn't stake my life on it either!

I would like to have a textarea where they could type in the new template source code and then save it out to a text file or some other file format to be loaded into the main template. I want them to be able to change  the header div contents, footer and right column div to create their own unique looks

 

Does anybody have any advice on this! Good or bad?

 

Thanks

Grant

[grantp22]

Can anybody give me some feedback?

[plznty]

I once used text files. The problem is that you end up having a ton of different folders for different users etc.

If you are having potentially untrusted people with an access to the back-end then it would be easy for them to cause damage.

I had file_get_contents(paths) to link to there folder etc.

 

This is the code I used for editor, if you can extract anything you may need from it feel free.

<?php
include("include/data.php");
if ($_COOKIE[user] == ($username) && $_COOKIE[pass] == md5($password)) 
{
include("include/config.php");
$welcome = ucwords($_COOKIE[user]);
echo "<center><font color='#FFFFFF'><body bgcolor='#000000' link='#FFFFFF' vlink='#FFFFFF' alink='#FFFFFF'>";
if ( $_GET['view'] == contents )
   {
   echo "
      <b>$welcome's Webpage Editor</b>
      <p><a href='editor.php?view=website'>Website</a></p>
      <p><a href='editor.php?view=forum'>Forum</a></p>";
   }

if ( $_GET['view'] == website )
   {
   echo "
   <b>$welcome's Webpage Editor</b>
   <p><a href='editor.php?process=edit&file=title'>Title</a></p>
   <p><a href='editor.php?process=edit&file=bgcolor'>Background Colour</a></p>
   <p><a href='editor.php?process=edit&file=logo'>Logo URL</a></p>
   <p><a href='editor.php?process=edit&file=txtcolor'>Text Colour</a></p>
   <p><a href='editor.php?process=edit&file=link'>Link Colour</a></p>
   <p><a href='editor.php?process=edit&file=home'>Home</a></p>
   <p><a href='editor.php?process=edit&file=memberlist'>Member list</a></p>";
   }
if ( $_GET['view'] == forum )
   {
   echo "
   <b>$welcome's Webpage Editor</b>
   <p><a href='editor.php?process=edit&file=forumthreadname'>Forum Thread Name</a></p>
   <p><a href='editor.php?process=edit&file=forumowner'>Forum Owner</a></p>
   <p><a href='editor.php?process=edit&file=forum1'>Forum Box [1]</a></p>
   <p><a href='editor.php?process=edit&file=forum2'>Forum Box [2]</a></p>
   <p><a href='editor.php?process=edit&file=forum3'>Forum Box [3]</a></p>
   <p><a href='editor.php?process=edit&file=forum4'>Forum Box [4]</a></p>
   <p><a href='editor.php?process=edit&file=forum5'>Forum Box [5]</a></p>
   <p><a href='editor.php?process=edit&file=forum6'>Forum Box [6]</a></p>
   <p><a href='editor.php?process=edit&file=forum7'>Forum Box [7]</a></p>
   <p><a href='editor.php?process=edit&file=forum8'>Forum Box [8]</a></p>
   <p><a href='editor.php?process=edit&file=forum9'>Forum Box [9]</a></p>
   <p><a href='editor.php?process=edit&file=forum10'>Forum Box [10]</a></p>";
   }
if ( $_GET['process'] == edit )
   {
   $data = file_get_contents("./web/$_COOKIE[user]/$_GET[file].txt");
   echo "
   <b>$welcome's Webpage Editor</b>
   <p>You are editing: $_GET[file]</p>
   <p><form action='editor.php?process=submit&file=$_GET[file]' method=post><textarea name='data' cols='40' rows='10'>$data</textarea>
   <p><input type=submit value=Edit></p>
   </form>";
   }
if ( $_GET['process'] == submit )
   {
   $myFile = "./web/$_COOKIE[user]/$_GET[file].txt";
   $fh = fopen($myFile, 'w') or die("can't open file");
   $stringData = "$_POST[data]";
   fwrite($fh, $stringData);
   fclose($fh);
   echo "<center><font color='#FFFFFF'><body bgcolor='#000000' link='#FFFFFF' vlink='#FFFFFF' alink='#FFFFFF'><a>Successfully changed</a>";
   }
}else{
   echo '<META HTTP-EQUIV="Refresh" CONTENT="0; URL=timeout.php">';
}

?>

 

Sorry I could not be any more help to you, maybe if you respond I would like to offer more help.