Copy link to clipboard
Copied
Hey Guys!
I was playing a bit with BC SDK and REST API and quite quickly I realise that action like POST, DELETE are only available in context of APP.
So I start wondering: How I could give admin access to API POST action when still staying on main website? (not admin area)
Good example of using this idea is to create In Context editor where user can simply edit page elements that they currently see.
So I found this simple solusion, and I'm wondering is there anything wrong about it or Do I miss anything important?
Any advices why not to do it or what is better solution? I might simply just miss something trivial.
Copy link to clipboard
Copied
To help you I will just throw you:
- What do browsers do with iframes cross domain and data?
- Why does BC iframe and sanbox and have the setup with apps themselves currently?
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Every time i read a post like this on BC i think of this:
Copy link to clipboard
Copied
Hahaha, that comics is hilarious!
I made some future development, and it looks like my concept works! So definitely it is possible what I described in original post.
The only issue I found is to catch any errors related to loading unauthorised iframe (401) and maybe a dynamic setup of parent page domain that need to be passed to child iframe.
Copy link to clipboard
Copied
I would not build off anything you find though. If that is the case then there is a security issue BC will and would want to look to at and stop that from happening.
If they deem it a serious one they do action the changes pretty quickly and more often then not, since it is a security issue just fix it without notifying anyone (as they do not need too) so a solution may just stop working.
Copy link to clipboard
Copied
I would also check it in all browsers.
Copy link to clipboard
Copied
I'm not sure do you understand how I achieved my results. I'm quite confident it is secure, but please correct me if I'm wrong.
I use BC backend authentication. All informations exchanged between iframe and page using postMessage() have cross origin check.
Window.postMessage() - Web APIs | MDN https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
I have seen BC Apps doing the same job, and I assume it need to be done similar way.
Copy link to clipboard
Copied
It is exactly the passing with the iframes which is what BC will not want and the cross origin.
Open platform first version you could read and edit the parent (admin) and BC rebuilt it to sandbox it. It has a very specific URL structure and is supposed to be sanboxed. While in admin, run in admin and not supposed to be accessed any where else, the authentication just in that case.
Anything outside the intended by BC can lead to hijacking.
Continue as you want but I would be wary sharing your findings and just note that BC could change this at any time and it all stop working. I just do not want you to invest time that will get undone. I discover and know things about BC before most people and BC has specifically changed BC as a result of things I have done/discovered and I have had more then one project/app stopped because BC changed or tightened things up, So I know from experience.
I am also under a full Adobe NDA so I can only advise and warn you with the above.
Copy link to clipboard
Copied
I second what Liam says, I've also been a partner a very very long time and there's been a ton of stuff that Adobe patched.
"In Context editor where user can simply edit page elements that they currently see"
This can already be done using WebApps as building blocks, but it will be slow and complex.
Copy link to clipboard
Copied
Hey bcalpha, can you please elaborate:
This can already be done using WebApps as building blocks, but it will be slow and complex.
I know there is simple inContext editing already in BC but it doesn't work well with any Liquid...
Does your idea include WebApps Edit template and user secure zones?
Copy link to clipboard
Copied
You should also know that having website editing on the front end outside of the default BC admin/editing solutions will add to the site bandwidth.
This can exponentially increase the bandwidth of a BC site and take its usage too far. From experience this can mount so plus normal site traffic you can come close AND over even with the high bandwidth BC has by default.
Copy link to clipboard
Copied
It only works in the back-end, not on Secure Zones and I really wouldn't recommend it.
Copy link to clipboard
Copied
Thanks Guys for all advices, well appreciate.
We should discus this over drinks in Surry Hills
Liam,
I'm now worry about bandwidth as in my case there wouldn't be much updates, maybe twice a week. But it's worth to consider this issue for website with a lot of content like Blog or news website.
bcalpha,
I was trying to figure out, a while a go, how to use "Edit Templates" for Webapps. But I give up in some point, not sure what was the reason. There was some missing part with permissions or something.
I got almost whole "Better Editor App" ready... just few bits left with file upload status. I will let you know how things works in real life.
Cheers
Copy link to clipboard
Copied
I have seen a few complex things from partners and ones that are not. Even the small ones really do start eating into the bandwidth, especially with content.. If you think someone is editing, re-editing, checking, making changes again.... That is what the admin is for
Copy link to clipboard
Copied
Yeah, but I personally think, that BC Admin UX is tragic... So I'm trying to make a use of great Back-End potential of BC with smooth Front End UX...
Around 300MB/mo of bandwidth is still far away from 1000GB/mo that is for free... at least in my case...
Copy link to clipboard
Copied
Using enterprise solutions and others.
Some may look nice but a nightmare to actually use (looking at you sqaurespace) and enterprise ones have horrible ones.
In the scheme of things, especially for client pickup and content editing. If you build the site right (which I find a lot of BC developers do not do) it is one of the better ones.
You said:
Around 300MB/mo of bandwidth is still far away from 1000GB/mo that is for free... at least in my case...
Is the site live?
Have you built the tool and using it much?
Watching one right now with something front end content not written by us and its exponential.
Our biggest sites (and we got some big ones) not even close to even 100mb before going live as a reference.