XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / module security
Register
1
brentw
module security

  • 2005/11/18 14:00

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


Hello all.

I'm trying to figure out how to secure all html/php files in a module directory and ALL sub-directories. I don't want anyone to figure out a URL to a file in a sub-directory and be able to directly access it w/out logging in w/ the right permissions.

It seems you can create sub-directories in a module (besides admin, for example), copy files there, and then pull them up in a browser w/out logging in.

Is there an easy fix w/out having to individually list all files or break up my modules?

Thanks

Brent
2
bluenova
Re: module security

Quote:
It seems you can create sub-directories in a module (besides admin, for example), copy files there, and then pull them up in a browser w/out logging in.

Can you explain this? It sounds like a server security issue not a XOOPS issue.
3
brentw
Re: module security

  • 2005/11/18 15:55

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


I'll try to explain by example.

in modules/xoopspoll, i created a directory "test". I copied a dummy index.php file into the test/ sub-dir:

code:
include("../../../mainfile.php");
include(XOOPS_ROOT_PATH."/header.php");
$xoopsOption['show_rblock'] = 1;
?>
Hello World!

include(XOOPS_ROOT_PATH."/footer.php");
?>


If I pull up my browser (NOT LOGGED IN TO XOOPS), and access page:
/html/modules/xoopspoll/index.php

I get the "you don't have permission to access this area" warning w/ a redirect.

If I access the page:
/html/modules/xoopspoll/test/index.php

The page loads fine w/ the login block displayed as well.

I want to be able to redirect ANY access to a file in a module for which a user does not have permission.

Make sense?
4
brentw
Re: module security

  • 2005/11/21 13:35

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


I got excited thinking I was going to get some help. Anyone have any ideas? Other than manually coding every php file or a header.php file to check for user/group login info?

Thanks

Brent
5
davidl2
Re: module security

  • 2005/11/21 13:51

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


You'll need to put a condition on any required page to see if the user is logged in, and has permission to view the content.

Unfortunately as a none-coder I do know know the required code - but I'm sure someone can help with this...
6
highlander
Re: module security

  • 2005/11/21 13:57

  • highlander

  • Not too shy to talk

  • Posts: 151

  • Since: 2004/12/5


Hi Brent,

sorry to say I am not a great coder either but I use the following :

if (empty($xoopsUser)) 
{
    redirect_header("javascript:history.go(-1)"3_NOPERM);
    exit();
}


hope it helps !

greetings Highlander
So, I'm in the park wondering why frisbees get larger as they get closer when suddenly, it hits me...
http://www.AnimalPedigree.com
7
davidl2
Re: module security

  • 2005/11/21 14:05

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


That's the sort of thing I mean .. yes
8
Shine
Re: module security

  • 2005/11/21 14:47

  • Shine

  • Just can't stay away

  • Posts: 822

  • Since: 2002/7/22


Or if you feel like doing this considering a group and making use of include pages:

//Shine: Groeppermission added //

global $xoopsUser;
if(!empty($xoopsUser)) {
$group $xoopsUser->getGroups();

if (in_array(2$group)) { //or other group-IDs
// end groep //

include("blabla.php");
else {
include("noentrance.php"); 
}

// close groepperm
// close groepperm


I still haven't figured out if you have more groups and want to these also in this code.
If somebody knows.....

Grtz., Shine
9
brentw
Re: module security

  • 2005/11/21 15:38

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


Thanks for the replies. The redirect works perfectly.

One more question: How can we lookup the group(s) that are allowed to access a module? I'd like to check for group permission w/out statically specifying any group names or ids.

Thanks

Brent
10
kaotik
Re: module security

  • 2005/11/21 15:50

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


you can check the dev wiki
or
use something like this:
//Group permissions
$allowed=0;
$perm_name 'perm_path';
$perm_itemid '1';
    if ($xoopsUser) {
        $groups $xoopsUser->getGroups();
    } else {
        $groups XOOPS_GROUP_ANONYMOUS;
    } 
    $module_id $xoopsModule->getVar('mid');
    $gperm_handler =& xoops_gethandler('groupperm');
        if ($gperm_handler->checkRight($perm_name$perm_itemid$groups$module_id)) {
        $allowed=1;
    }


Then you can perform checks such as:
if ($allowed==1){
//this group is allowed so do something
} else {
//this group ISN'T allowed so do something else
}

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

476 user(s) are online (415 user(s) are browsing Support Forums)

Members: 0

Guests: 476

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits