1
brentw
module security
  • 2005/11/18 14:00

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


Hello all.

I'm trying to figure out how to secure all html/php files in a module directory and ALL sub-directories. I don't want anyone to figure out a URL to a file in a sub-directory and be able to directly access it w/out logging in w/ the right permissions.

It seems you can create sub-directories in a module (besides admin, for example), copy files there, and then pull them up in a browser w/out logging in.

Is there an easy fix w/out having to individually list all files or break up my modules?

Thanks

Brent

2
bluenova
Re: module security

Quote:
It seems you can create sub-directories in a module (besides admin, for example), copy files there, and then pull them up in a browser w/out logging in.

Can you explain this? It sounds like a server security issue not a XOOPS issue.

3
brentw
Re: module security
  • 2005/11/18 15:55

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


I'll try to explain by example.

in modules/xoopspoll, i created a directory "test". I copied a dummy index.php file into the test/ sub-dir:

code:
include("../../../mainfile.php");
include(XOOPS_ROOT_PATH."/header.php");
$xoopsOption['show_rblock'] = 1;
?>
Hello World!

include(XOOPS_ROOT_PATH."/footer.php");
?>


If I pull up my browser (NOT LOGGED IN TO XOOPS), and access page:
/html/modules/xoopspoll/index.php

I get the "you don't have permission to access this area" warning w/ a redirect.

If I access the page:
/html/modules/xoopspoll/test/index.php

The page loads fine w/ the login block displayed as well.

I want to be able to redirect ANY access to a file in a module for which a user does not have permission.

Make sense?

4
brentw
Re: module security
  • 2005/11/21 13:35

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


I got excited thinking I was going to get some help. Anyone have any ideas? Other than manually coding every php file or a header.php file to check for user/group login info?

Thanks

Brent

5
davidl2
Re: module security
  • 2005/11/21 13:51

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


You'll need to put a condition on any required page to see if the user is logged in, and has permission to view the content.

Unfortunately as a none-coder I do know know the required code - but I'm sure someone can help with this...

6
highlander
Re: module security
  • 2005/11/21 13:57

  • highlander

  • Not too shy to talk

  • Posts: 151

  • Since: 2004/12/5


Hi Brent,

sorry to say I am not a great coder either but I use the following :

if (empty($xoopsUser)) 
{
    
redirect_header("javascript:history.go(-1)"3_NOPERM);
    exit();
}


hope it helps !

greetings Highlander
So, I'm in the park wondering why frisbees get larger as they get closer when suddenly, it hits me...
http://www.AnimalPedigree.com

7
davidl2
Re: module security
  • 2005/11/21 14:05

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


That's the sort of thing I mean .. yes

8
Shine
Re: module security
  • 2005/11/21 14:47

  • Shine

  • Just can't stay away

  • Posts: 822

  • Since: 2002/7/22


Or if you feel like doing this considering a group and making use of include pages:

//Shine: Groeppermission added //

global $xoopsUser;
if(!empty(
$xoopsUser)) {
$group $xoopsUser->getGroups();

if (
in_array(2$group)) { //or other group-IDs
// end groep //

include("blabla.php");
else {
include(
"noentrance.php"); 
}

// close groepperm
// close groepperm


I still haven't figured out if you have more groups and want to these also in this code.
If somebody knows.....

Grtz., Shine

9
brentw
Re: module security
  • 2005/11/21 15:38

  • brentw

  • Just popping in

  • Posts: 18

  • Since: 2005/5/25


Thanks for the replies. The redirect works perfectly.

One more question: How can we lookup the group(s) that are allowed to access a module? I'd like to check for group permission w/out statically specifying any group names or ids.

Thanks

Brent

10
kaotik
Re: module security
  • 2005/11/21 15:50

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


you can check the dev wiki
or
use something like this:
//Group permissions
$allowed=0;
$perm_name 'perm_path';
$perm_itemid '1';
    if (
$xoopsUser) {
        
$groups $xoopsUser->getGroups();
    } else {
        
$groups XOOPS_GROUP_ANONYMOUS;
    } 
    
$module_id $xoopsModule->getVar('mid');
    
$gperm_handler =& xoops_gethandler('groupperm');
        if (
$gperm_handler->checkRight($perm_name$perm_itemid$groups$module_id)) {
        
$allowed=1;
    }


Then you can perform checks such as:
if ($allowed==1){
//this group is allowed so do something
} else {
//this group ISN'T allowed so do something else
}

Login

Who's Online

477 user(s) are online (407 user(s) are browsing Support Forums)


Members: 0


Guests: 477


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits