What is the best way to allow users to change templates?

Question

In one of my project, my users will have a dedicated part of my website ({username}.example.org). In that subdomain, I plan to allow them to change the design easily. I took a look at some online website that already does that, like Tumblr, Posterous and Shopify.

Regarding the language of this application, I started it with Django, which I succeedly implemented a "template rendering based on the url name with default as fallback" (http://someuser.example.com will load the templates in templates/someuser/* or in templates/generic/* if not found in the first). But I can export it to PHP or Play!Framework if they are more adapted to my needs.

The template engine used is Jinja2, since it is as simple as Django template engine, easy to learn, and safe (no Python coode can (should normally!) be executed).

Here is the Pros/Cons of each solution I found. I would really appreciate your thoughts on that and which way you would do, why. Thanks.

Note: The users will have a good knowledge in HTML/CSS.

Changing vars (like title color, etc)

• Pros:

  1. Simple & secure

• Cons:

  1. Too limited, an user that want to personalize his website won't be able to do so with this solution

Only upload CSS

• Pros:

  1. Simple to integrate
  2. Secure

• Cons:

  1. Limited
  2. Where the user image are stored? (logo, background, some gradient, etc)

Allow user to edit templates (stored in the database)

• Pros:

  1. Changes are more important
  2. The user is (almost) free to do whatever he wants (implements GA, FeedBurner, etc)

• Cons:

  1. Where do they put the static files (logo, background-image, some special effect (gradient))?
  2. Template are stored in the database, which require one more SQL request for each page displayed

Allow user to edit templates (stored in files)

• Pros:

  1. Changes are more important
  2. The user is (almost) free to do whatever he wants (implements GA, FeedBurner, etc)
  3. A FTP access can be enabled, rooting the user in his Template dir.

• Cons:

  1. The same problem for the static files

Also, where I'm stuck is about how to handle static files (images, css, js) : I can't see how to define a VirtualHost in Apache (or NGinx) that would request the database to see which users belongs this url.

Thanks for your help, I appreciate!

Answer 1

Ok, I'll answer myself based on what I did and my research.

As Steve mentionned, you have to be very careful about letting users customise page layout.

The risk must be well evaluated!

In my case, letting users change the complete HTML/CSS/JS is possible, in a way, like Posterous or Tumblr does.

The risks are :

• A user could add a javascript code that would collect auth cookie of other users. Doing so, this user could have access to any token auth for the admin part of each other users. A simple solution is to avoid cross cookies between the admin part and the user website.
• A user could try to execute code in the template, like Python, PHP, Java, Ruby, etc (regarding what it is used). The solution here is to use a template engine that disallow entirely the use of code, only tags. Jinja2 for python is a perfect fit for that.

If those two conditions are well evaluated, the option "Allow user to edit templates (stored in the database)" is a good solution.

But if you are worried about too many hits the database could have, the last solution, aka "Allow user to edit templates (stored in files)", could be possible, if :

• You make sure the user can't access other folder that the template directory he can have access. You can do it so with something like setting up a FTP server that use the database for user access (like ProFTPd with MySQL), and chrooting the user in his template dir. A quota is also very important to set up, in order to avoid your user to use his template dir as stockage device ;)

Well, I think I covered the whole problem. It's possible I miss some points, if it's the case, please add a comment or a new post and I will complete the answer.