|
Hiding Links Has No Purpose (other than not shown)
|
| mlynchl |
Posted on 23-03-2012 00:27
|
Junior Member
Posts: 11
Joined: 13/03/2012
|
I just found out that hiding links doesn't resolve the issue of not allowing people to view the page the link refers to. e.g.
Contact Me(Us) page link is set to view only by Members and above, yet, a guest can simply type in websiteaddress/contact.php and still access the page to send spam mail if they want!
One of the big reasons for 'hiding' something from someone is to keep them from viewing what you're hiding! Concidering how long PHP-Fusion has been around, I'm sure the usual hackers/spammers know every link by heart...
Other than using:
 Code
if (!iMEMBER) {
redirect("index.php");
}
each time I choose to change the view on a link/page is there another code that could be used globally with the link on/off or group view switch?
Thanks! :) |
| |
|
|
| ginny |
Posted on 23-03-2012 00:56
|
Member
Posts: 74
Joined: 25/08/2005
|
very interesting and I checked, your right.
-g |
| |
|
|
| JoiNNN |
Posted on 23-03-2012 03:44
|
Admin
Posts: 292
Joined: 05/02/2011
|
Visibility on links does what it says it does, thus it fulfills its purpose.
In other words, is meant to hide some links in the navigation panel and not the pages themselves, is not meant to do that.
However what you ask for will probably be available in the next versions.
If not, it would pretty easy to do it as an infusion, no core mods and stuff, I'll look in to it.
Edited by JoiNNN on 23-03-2012 05:06
|
| |
|
|
| mlynchl |
Posted on 23-03-2012 03:59
|
Junior Member
Posts: 11
Joined: 13/03/2012
|
Sounds good to me JoiNNN...
I understand the intent of 'hiding' links, but security wise its an issue. We need to have more control over who can see what. After all, not allowing guests to see the member list works, the guest gets redirected when trying to force view member.php...
PHP-Fusion is by far the most easy CMS to work with, thus why its going to be the most recommended for my business clients! However, on the down side, I can't sell an unsecure product thats simple and easy to use if there is no control over who can do what... Know what I mean?
Anywho, I'll be looking forward to the next release and any code snippits anyone can provide for the mean time  |
| |
|
|
| Wanabo |
Posted on 23-03-2012 17:46
|
Senior Member
Posts: 357
Joined: 06/02/2006
|
It should be logical when you make contact.php only visable for members in your site links (admin panel) the contact.php cannot accessed directly by guests.
It should be easy to alter all files that are accessed with a line of code that checks the database field "link_visability" in table site_links. And according to grant access according to that settings.
I probably can come up with something, but it will take much time because I'm not a gifted coder. Coder experts think of something in 5 minutes.
I'm a control freak so controlling visibility to links/files in the navigation panel (site links) really should also be controlling access to the files.
|
| |
|
|
| JoiNNN |
Posted on 24-03-2012 09:15
|
Admin
Posts: 292
Joined: 05/02/2011
|
Ok, I've been working something out, hope you'll find it useful.
- You add the pages as you do with panels exclusion on certain pages.
- Users will get redirected on main page when accessing a disabled page. However SuperAdmins still can access those pages and a warning message will be displayed.
[Download file]
Installation:
- place this file in /includes/ folder
- open /includes/header_includes.php file and add: include INCLUDES."disable_pages.php";
- go to Settings > Main, click Enable button on 'Disable Pages' section and add your pages
JoiNNN attached the following file:
|
| |
|
|
| Wanabo |
Posted on 24-03-2012 11:32
|
Senior Member
Posts: 357
Joined: 06/02/2006
|
I was more thinking of:
if ($global['link_visability'] != 0) {
redirect("index.php");
}
NOT TESTED
But then you have to modify all files which you want to protect. Perhaps something for a next version.
Your solution is easier.
|
| |
|
|
| mlynchl |
Posted on 24-03-2012 18:00
|
Junior Member
Posts: 11
Joined: 13/03/2012
|
I've been working on a file that tests the database link_visibility against the users user_level and user_group. Obviously we don't want users not a part of a cirtain group to have access to pages only for that group...
My file gets included in the maincore.php file and the page redirection seems to work for guests so far... Here's what I have that works:
Code require_once "pgdeny.php";
I use HTMLKit, and I added this to line 1533 which is after all iMEMBER iGUEST settings are checked.
This is in the pgdeny.php that works for guests so far, I'm not including what I have been working on for members yet...
Code <?php
if (!defined("IN_FUSION")) { die("Access Denied"); }
$furl = FUSION_SELF;
$auser = $userdata['user_name'];
$getgid = dbquery(
"SELECT link_name, link_url, link_visibility FROM ".DB_SITE_LINKS."
WHERE link_url='$furl'"
);
$gid = dbarray($getgid);
$puid = $gid['link_visibility'] ;
$getugid = dbquery(
"SELECT user_groups, user_level FROM ".DB_USERS."
WHERE user_name='$auser'"
);
$gotuid = dbarray($getugid);
$ulid = $gotuid['user_level'];
$ugid = substr($gotuid['user_groups'],1);
//$puid = The page visibility ID
//$ugid = The user GROUP ID
//$ulid = The user LEVEL ID
if (iGUEST) {
if ($puid > '0')
redirect("index.php");
}
?>
I'm having trouble with the operators and what not for iMEMBER / iUSER_GROUPS... I'm not a coder and the above took almost 16hrs just to get guests to work....
The other issue is getting the links that FUSION_SELF doesn't get, like infusions/aw_ecal_panel/calendar.php?cal=month&
FUSION_SELF only gets the first file name like news.php or articles.php...
I apreciate everyone helping out on this, I think once we get PHP_Fusion secured, we'll have more peace of mind! lol
BTW, feel free to add to my code... I'm not a huge license freak, but I'll be adding the right notices to the files once its final :) |
| |
|
|
| JoiNNN |
Posted on 24-03-2012 18:57
|
Admin
Posts: 292
Joined: 05/02/2011
|
mlynchl wrote:
The other issue is getting the links that FUSION_SELF doesn't get, like infusions/aw_ecal_panel/calendar.php?cal=month&
FUSION_SELF only gets the first file name like news.php or articles.php...
This is what you are looking for:
echo TRUE_PHP_SELF.(FUSION_QUERY ? "?".FUSION_QUERY : "");
Having a url like this: somesite.com/fusion/forum/viewthread.php?thread_id=1&pid=2
- TRUE_PHP_SELF will get /forum/viewthread.php
- (FUSION_QUERY ? "?".FUSION_QUERY : "") will get ?thread_id=1&pid=2
and combined you get /forum/viewthread.php?thread_id=1&pid=2
Have a look in /themes/templates/panels.php for more code examples, you'll find exactly what you are looking for there. |
| |
|
|
| Tyler |
Posted on 24-03-2012 19:02
|
Member
Posts: 161
Joined: 30/11/2011
|
Or just use FUSION_REQUEST |
| |
|
|
| JoiNNN |
Posted on 24-03-2012 19:16
|
Admin
Posts: 292
Joined: 05/02/2011
|
FUSION_REQUEST is better if you have Fusion installed in main folder.
Given the example above FUSION_REQUEST will result as /fusion/forum/viewthread.php?thread_id=1&pid=2 |
| |
|
|
| mlynchl |
Posted on 27-03-2012 17:42
|
Junior Member
Posts: 11
Joined: 13/03/2012
|
Well so far what I have works for guests, members and members part of a group, however there is something not working right when I try to use FUSION_REQUEST or TRUE_PHP_SELF as the database search, I used echo to view these and they start with a / so I had that removed using substr but still didn't work... So for now, what I have will work on PHP_Fusion's main pages that doesn't have a directory included in the link, like forum/index.php, but works on everything else like faq.php and contact.php
As above, add this to line 1533 in maincore.php
Code
require_once "pgdeny.php";
And add this to pgdeny.php in the main fusion folder.
Code
<?php
if (!defined("IN_FUSION")) { die("Access Denied"); }
if ((!iSUPERADMIN) || (!iADMIN)) {
$furl = FUSION_SELF;
$auser = $userdata['user_name'];
$getgid = dbquery(
"SELECT link_name, link_url, link_visibility FROM ".DB_SITE_LINKS."
WHERE link_url='$furl'"
);
$gid = dbarray($getgid);
$puid = $gid['link_visibility'] ;
$getugid = dbquery(
"SELECT user_groups, user_level FROM ".DB_USERS."
WHERE user_name='$auser'"
);
$gotuid = dbarray($getugid);
$ulid = $gotuid['user_level'];
$ugid = substr($gotuid['user_groups'],1);
//$puid = The page visibility ID
//$ugid = The user GROUP ID
//$ulid = The user LEVEL ID
if (iGUEST) {
if ($puid > '0')
redirect("index.php");
}
if ((iMEMBER) && (!iUSER_GROUPS)){
if ($puid > '0' && $puid < '101')
redirect("index.php");
if ($puid > $ulid) redirect("index.php");
}
if (iUSER_GROUPS) {
if ($puid > '0' && $puid < '101') {
if ($ugid != $puid)
redirect("index.php");
}
if ($puid > '101')
redirect("index.php");
}
}
?>
Please feel free to add more input and inform me of any glitches. Like I said, I know it doesn't work for custom pages and any links that lead to a directory/file
I have tried the examples you all gave me to replace FUSION_SELF but for some reason the mySQL database isn't accepting those either, so feel free to play with the code!
Thank you everyone for your help!
PS at least this code will keep guests from sending messages via Contact.php!
Edited by mlynchl on 27-03-2012 18:15
|
| |
|
|
| smokeman |
Posted on 27-03-2012 18:27
|
Veteran Member
Posts: 960
Joined: 23/06/2006
|
JoiNNN wrote:
Installation:
- place this file in /includes/ folder
- open /includes/ header_includes.php file and add: include INCLUDES."disable_pages.php";
- go to Settings > Main, click Enable button on 'Disable Pages' section and add your pages
Hi JoiNNN.
I done what you wrote but I can't see the new field in Admin> Main
I get an error in the log on all adminpages too, except on the mainsettings page:
Use of undefined constant TRUE_PHP_SELF - assumed 'TRUE_PHP_SELF' Linje: 28
|
| |
|
|
| JoiNNN |
Posted on 27-03-2012 19:24
|
Admin
Posts: 292
Joined: 05/02/2011
|
@smokeman
I've wrote/tested the code on 7.02.04, haven't tested other versions.
About the error, TRUE_PHP_SELF is defined in the maincore.php, if you get an undefined error you might have an older version of Fusion.
Edited by JoiNNN on 27-03-2012 19:33
|
| |
|
|
| mlynchl |
Posted on 27-03-2012 19:42
|
Junior Member
Posts: 11
Joined: 13/03/2012
|
JoiNNN wrote:
@smokeman
I've wrote/tested the code on 7.02.04, haven't tested other versions.
I guess I should point out that the code I provided is also only tested and used for version 7.2.4 as well...
Thanks JoiNNN!! |
| |
|
|
| JoiNNN |
Posted on 27-03-2012 20:52
|
Admin
Posts: 292
Joined: 05/02/2011
|
mlynchl wrote:
Well so far what I have works for guests, members and members part of a group, however there is something not working right when I try to use FUSION_REQUEST or TRUE_PHP_SELF as the database search, I used echo to view these and they start with a / so I had that removed using substr but still didn't work... So for now, what I have will work on PHP_Fusion's main pages that doesn't have a directory included in the link, like forum/index.php, but works on everything else like faq.php and contact.php
@mlynchl
You ignored my post here.
Always look thru core files for code snippets and how they do stuff.
Here is the complete code to restrict pages based on link visibility, place it inside includes/header_includes.php
$page = TRUE_PHP_SELF.(FUSION_QUERY ? "?".FUSION_QUERY : "");
$page = preg_replace('/\//', '', $page, 1); // remove first slash
$result = dbquery("
SELECT link_url, link_visibility FROM ".DB_SITE_LINKS."
WHERE link_url LIKE '%".$page."'
AND link_url NOT LIKE '---'
AND link_url NOT LIKE '%tp%://%'
");
if (dbrows($result)) {
while ($data = dbarray($result)) {
if (!checkgroup($data['link_visibility'])) {
redirect(BASEDIR."index.php");
}
}
}
_______
For those still interested in disabling certain pages/sections of the site should also have at this addon by Philip.
Remember to change TYPE=MyISAM to ENGINE=MyISAM in infusion.php if you are getting any errors.
_______
Edited by JoiNNN on 29-03-2012 22:09
|
| |
|
