The Settings for new admins is crazy awesome, but there are a few places where a little bit of advancement wouldn't hurt.
The idea is allowing the creation of user roles with custom names and permissions.
For example:

A few scenarios where this would be useful.

• You would want a "content creator" only able to submit posts to a certain blog.
  • Role name: "Content Creator"
  • permissions: "/blog-name/"
    • Submit: true
• You would only want the content manager for a certain blog to approve/deny posts in the blog he/she works in
  • Role name: "content manager"
  • permissions: "/blog-name/
    • ApproveDeny: true

Settings like these would help destroy any type of cms competition like Wordpress, Ghost or Jekyll.

Hi there
I installed CMS 13.0.0 on the local mac os 10.14.6 Mojave computer. + Node js v13.13.0

1. I create a new user with super administrator rights
2. cms will be refused due to incorrect authentication data when attempting to login
3. when I go back under the default administrator, I see that the new user has not been saved and has disappeared from the list of users on the settings page
   https://drive.google.com/file/d/15tVR5HFJ9Vhr5EY0ljn-EhFmcs6XUBFz/view?usp=sharing
   Thanks!

Provide an approval of a blog post, page or anything a lower level user could create.
To be published publically an admin must click approve or deny.

A few scenarios where this would be useful.

• You have a team of content creators that each day write blog posts,
  add pages. The content team has a manager who's an admin to the specific part of the site
  the team works in. The approval process could work like so:
  1. A content creator writes a new blog post. Once he fills out all the necessary details he clicks "Submit",
     his new post is visible on the dashboard but not on the site. Because this post is currently listed as "awaiting approval".
  2. The content manager can log in, see that this post is "awaiting approval", along with all the posts approved & published. He can click on the "awaiting approval" post and review the content. Then he can choose to either:
  • Deny: If the manager Denies the post, then the content creator will be notified along with a small message from the manager explaining why.
  • Approve: If the manager Approves the post, then the post is ready for the public. If the post is set to be published at a certain date it will do so, if not then it will publish immediately as accordingly.

I hope this feature could be considered, it would be incredibility beneficial for a load of content creators looking to switch from the large CMS's to more powerful, lightweight alternatives such as this awesome piece of software.

dear team,

how totaljs-cms can support deploy it into subfolder using nginx

e.g my domain is www.example.com
i want to access this cms via http://www.example.com/fex/porta/

how to do it ?

hi dear total.js team
i use your both cms and eshop app in my local machine. everything work but in both app i can not list posts by category. here is what i do : 1- in setting page i defined some sample category eg news, tutorial ,... after saving i go to step 2- create some post in each category. but blog page only show all posts and by click on each post it show post detail. i want to do list posts buy category too, just like products on eshop app. I tried so whit no success. then decided to use totaljs blogngine as sub domain under cms ( eg: http://BlogEngineAapp.CmsApp.local) and read your documentation and sampls but again whit no sucsess. i can not undrestand how it work. is this bug? can any one help me? is there any book for total.is or related tutorial?

Description

PoC : "><img src=x onerror=alert(1)>

Hello @petersirka! I report the security issue. When the administrator creates a page, the page is created by inserting XSS PoC as the name of the page, and the script is executed when going to the page list.

Have lost my credentials. Any advice? Already installed it new, but I have to use the old login details.
Cheers

Hi there,

Good day and how are you? I hope this message finds you well.

I am Joseph Buarao (https://utopian.io/@josephbuarao), who has been doing high quality Filipino and Tagalog translations for several projects.

Consider this message as my letter of application. I am a web developer by profession and an experienced Utopian translator -these are on top of being an experienced web developer with more than 6 years of experience and specialized in the following scripting languages and technologies (HTML, CSS, JS, JQUERY, PHP, WORDPRESS and CONCRETE5). This means I know which codes are to be translated, and which ones that are to remain as it is. I am a strong advocate of thought-by-thought instead of word-by-word style of doing the translations, and I am carefully strict in grammars and spellings and proper word conjugations of my languages, Filipino and Tagalog.

I hope to hear from you soon and work with you in the translations. You can count on me that I will do my job with utmost dedication. Thank you and more power to you.

Best Regards,
Joseph Buarao

Upload the 1. txt file and click download

Copy the download link for 1. txt

Replace the Google browser with an administrator account that has not been logged in for access, and successfully download the file without authorization.

Hi ... First of all I want to congratulate the developers of this script for the great work contributed

I installed the script on a Cpanel server, I activate the proxy modules in apache ( WHM EA4 ) and in the installation of the cms app configure the .htaccess

Everything works perfectly, except the home page / returns 404 What can this be due to?

Thanks in advance

BEGIN SSL

BEGIN Total.js

I would like to ask in reference to totaljs/cmsbundle#1

I had look up in databases.js and wouldn't making app multi DB be possible with adding dependency of TotalJS DBMS and replacing all TABLE() keywords in database.js and switching them to DBMS() keyword, based on example from TotalJS docs?

You write:

innstall $ npm install total.js
open cms directory $ cd cms
run it node debug.js

But there is no /cms. So erase the second line, and all will be fine :)

Tested version: 8c2c8909 (latest)

Steps to reproduce the vulnerability:

• Login in the application.
• Set "</script><script>alert(document.domain)</script> as CDN (for jComponent Library) in settings.
• Fill other required fields with random values and save.
• Then just visit the admin dashboard and the alert will fire.

Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.

In order to test this, just click logout and reload the page.

Tested version: 8c2c8909 (latest)

Steps to reproduce the vulnerability:

• Login in the application.
• Set " <script>alert(document.domain)</script> as website name.
• Fill other required fields with random values and save.
• Then just visit the admin dashboard and the alert will fire.

Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.

In order to test this, just click logout and reload the page.

i want to share the data wiht other service ,so i want to connect my own PostgreSQL.
but i found it was used the NOSQL in project ,so ask how to change more quickly.

Thanks