XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. 2.5.x Support 
  4.  / Restricted access to custom PHP page?
Register
1
vmax2extreme
Restricted access to custom PHP page?

Hello,

I have designed a custom PHP page that is linked to a MySQL separate database table other than the xoops user database. My question is how do I restrict access from outside users that aren't registered on our xoops site from executing this PHP file?
2
xoobaru
Re: Restricted access to custom PHP page?

  • 2012/9/22 1:41

  • xoobaru

  • Just can't stay away

  • Posts: 494

  • Since: 2010/12/2


Where is the file located, inside the xoops path?
3
vmax2extreme
Re: Restricted access to custom PHP page?

Yes, the page is under modules/xcenter/<subfolder>/
4
Anonymous
Re: Restricted access to custom PHP page?

  • 2012/9/22 14:13

  • Anonymous

  • Posts: 0

  • Since:


In case it is a single file script you could wrap the dummy module around it. In this way xoops sees it as a module so you can work with permissions. I'v done this with a donation script, it works great!

Put something like
include(XOOPS_ROOT_PATH."/modules/dummy/script.php");
in index.php from the dummy module. Just next to
include(XOOPS_ROOT_PATH."/header.php");
5
vmax2extreme
Re: Restricted access to custom PHP page?

I am trying to setup your dummy module to protect this custom PHP script when executed so that it can only be run by logged in members. Here is what we are running:

include("../../mainfile.php");
include(XOOPS_ROOT_PATH."/header.php");
include(XOOPS_ROOT_PATH."/modules/MemberInfo/memberlist.php");

We have a custom script designed to query read only info from our additional membership database and present it when queried as follows:

<www.mydomain.com>/modules/MemberInfo/Memberlist/memberlist.php?region=MD

The query works fine, but how do I lock it down with permissions so that only logged in members can do this query and not guests if they have the url query? At this time its setup but guests can get to the queries too now. We do not want this.

Thanks,

Mike Moore
6
Mamba
Re: Restricted access to custom PHP page?

  • 2012/10/8 15:49

  • Mamba

  • Moderator

  • Posts: 11367

  • Since: 2004/4/23


See some background info in this thread. That's if you want to have permissions for various groups. If you just want to do it for all registered users, you could probably wrap it up in your template by something:
<{if $xoops_isuser}>

your query results

<{else}>
sign up for membership
<{/if}>
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs
7
vmax2extreme
Re: Restricted access to custom PHP page?

Quote:

Mamba wrote:
See some background info in this thread. That's if you want to have permissions for various groups.

If you just want to do it for all registered users, you could probably wrap it up in your template by something:

<{if $xoops_isuser}>

your query results

<{else}>
sign up for membership
<{/if}>


I have about 20 different quieries off this php script that are being performed. I went into group permissions and removed annonymous access to the dummy module, but its still not being locked down. I need to have it locked down that if a non registered member runs the script somehow, it will either give them access denied or some sort of error code. As for now, it still enumerates the results which we definately do not warrant.

Mike
8
zyspec
Re: Restricted access to custom PHP page?

  • 2012/10/8 20:46

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


You can use htaccess to limit access. I've used the following script to make sure the user only came from a known referrer....

# stop hotlinking and serve alternate content
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} !^http://(www.)?YOURURL/.mypage.php$ [NC]
 RewriteRule .*.(zip|pdf)$ http://YOURURL/uploads/directory/forbidden.jpg [R,NC,L]

Options All -Indexes
IndexIgnore *
AddType application/octet-stream .pdf


NOTE: The code above isn't displayed quite right... the XOOPS forum text sanitizer is eating some of the code, but you can get the general idea from what's posted...

This let me serve a .zip and/or a .pdf file and only allow access if the user came from a page on my site. That page was only accessable once a user had logged in... Otherwise it displayed a graphic (forbidden.jpg) instead.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

99 user(s) are online (57 user(s) are browsing Support Forums)

Members: 0

Guests: 99

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits