Covid-19 Gust registration & mac tracing

Dear all,

I have created two projects using Cockpit CMS. These projects are interesting for companies which are having some people in the office even during Covid-19 and are sick of tracing who comes to the office or have customers in the office and do not want to hand out “pen and paper” to collect the data which guest has been in the office at what time.

The first use case is to trace the mac addresses which are located in a network and store them on Cockpit CMS: Mobile phone tracing for the office

The second use case is a Guest Registration system which uses a React client and Cockpit CMS as backend: Covid-19 Open Source Guest Registration (Github: GitHub - terencejackson8000/covid19-company-guest-registration)

If this is useful for you feel free to use it. Feedback is also very welcome about the use cases.


Nice tutorial and showcase. I have some minor feedback:

Now that this is setup navigate to http://localhost/cockpit/install to finish the installation.

Don’t forget to change the admin password :slight_smile:

That’s it. Of course you can also use the Cockpit Docker image, if you are familiar with Docker.

The official Docker container is outdated. So you should create your own docker image first.

Now you need to get the Cockpit token which is necessary to call the Cockpit API. The token can be generated under Cockpit → Setting → API Access ->Add custom key.

Don’t use the rule *. Add a specific route/rule, that is only allowed to add new entries. Otherwise your admin token could be exposed in the network (WLAN) or in log files.

Same for the url/api/collections/remove/Guest and the "/api/collections/save/Guest?token=" + Config.webServiceToken requests - I would create custom api endpoints with specified filters to avoid any malicious requests.

Thank you very much for the feedback. I have incorporated it in the post and the source code.

Can you please clarify what you mean by specified filters for the custom API endpoint?

I had a few things in mind. First, admin tokens should only be used for local development/testing. You never know, if or where it could be exposed in a future use case. When everything works, you can create tokens to query specific routes.

So xxToken1xx can query /api/collections/save/Guest. Now you can’t delete entries with this token → fine. But your intention is to allow only new entries. If you send an existing id, you can change entries.

To prevent this, you could play with user group permissions or with complicated context permissions (rules in the collection settings) or you can create custom api endpoints.


Create a file config/api/register-guest.php. You can query it with and you can add an api token /api/register-guest. Here, the “specified filters” part isn’t relevant.

$data = $app->param('data');

// server side validation (never trust clients)
$validated = true;

if (!$validated) {
    return ['error' => 'wrong'];
} else {
    return $app->module('collections')->save('Guest', $data);

Removing old data


Here you can simplify the cron script if you create hardcoded filters for a custom api endpoint.

$xdaysago = 14;
$filter = ['checkIn' => ['$lte' => $xdaysago]];
return $app->module('collections')->remove('Guest', $filter);

Now you only have to query without any filter.

If the cronjob is on the same server, you don’t even need curl. You could create a cli command instead and call a php script directly via crontab. But that’s another topic.

To summarize… Of course, you can use the nice and simple api and filters, that cockpit offers by default. But if you know, that you only need two api keys to do two very specific jobs, you don’t have to give more permissions than needed (like changing data, fetching different data than the own user, deleting data with custom filters etc.). Using custom endpoints just simplifies the permission management in this case.

1 Like

Thanks a lot for the detailed explanation. Sounds reasonable to me. I will give it a shot :slight_smile: