Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Not a member yet? Click here to register.
Forgot Password?

Hiding Links Has No Purpose (other than not shown)

Asked Modified Viewed 8,045 times
M
mlynchl
M
  • Junior Member, joined since
  • Contributed 10 posts on the community forums.
  • Started 2 threads in the forums
  • Started this discussions
asked
Junior Member

I just found out that hiding links doesn't resolve the issue of not allowing people to view the page the link refers to. e.g.

Contact Me(Us) page link is set to view only by Members and above, yet, a guest can simply type in websiteaddress/contact.php and still access the page to send spam mail if they want!

One of the big reasons for 'hiding' something from someone is to keep them from viewing what you're hiding! Concidering how long PHPFusion has been around, I'm sure the usual hackers/spammers know every link by heart...

Other than using:

if (!iMEMBER) {
   redirect("index.php");
}

each time I choose to change the view on a link/page is there another code that could be used globally with the link on/off or group view switch?

Thanks! :)
0 replies

15 posts

G
ginny
G
ginny 10
  • Member, joined since
  • Contributed 80 posts on the community forums.
  • Started 31 threads in the forums
answered
Member

very interesting and I checked, your right.
-g
0 replies
J
JoiNNN
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
answered
Veteran Member

Visibility on links does what it says it does, thus it fulfills its purpose.
In other words, is meant to hide some links in the navigation panel and not the pages themselves, is not meant to do that.

However what you ask for will probably be available in the next versions.
If not, it would pretty easy to do it as an infusion, no core mods and stuff, I'll look in to it.
Edited by JoiNNN on 23-03-2012 06:06,
0 replies
M
mlynchl
M
  • Junior Member, joined since
  • Contributed 10 posts on the community forums.
  • Started 2 threads in the forums
  • Started this discussions
answered
Junior Member

Sounds good to me JoiNNN...
I understand the intent of 'hiding' links, but security wise its an issue. We need to have more control over who can see what. After all, not allowing guests to see the member list works, the guest gets redirected when trying to force view member.php...

PHPFusion is by far the most easy CMS to work with, thus why its going to be the most recommended for my business clients! However, on the down side, I can't sell an unsecure product thats simple and easy to use if there is no control over who can do what... Know what I mean?

Anywho, I'll be looking forward to the next release and any code snippits anyone can provide for the mean time :)
0 replies
W
Wanabo
W
Wanabo 10
www.probemyip.com/probe-my-ip-80x15.png
pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
  • Senior Member, joined since
  • Contributed 598 posts on the community forums.
  • Started 94 threads in the forums
answered
Senior Member

It should be logical when you make contact.php only visable for members in your site links (admin panel) the contact.php cannot accessed directly by guests.

It should be easy to alter all files that are accessed with a line of code that checks the database field "link_visability" in table site_links. And according to grant access according to that settings.

I probably can come up with something, but it will take much time because I'm not a gifted coder. Coder experts think of something in 5 minutes.

I'm a control freak so controlling visibility to links/files in the navigation panel (site links) really should also be controlling access to the files.
0 replies
J
JoiNNN
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
answered
Veteran Member

Ok, I've been working something out, hope you'll find it useful.
- You add the pages as you do with panels exclusion on certain pages.
- Users will get redirected on main page when accessing a disabled page. However SuperAdmins still can access those pages and a warning message will be displayed.

[Download file]

Installation:
- place this file in /includes/ folder
- open /includes/header_includes.php file and add: include INCLUDES."disable_pages.php";
- go to Settings > Main, click Enable button on 'Disable Pages' section and add your pages
JoiNNN attached the following file:
disable_pages.zip [No information available / 415 Downloads]
0 replies
W
Wanabo
W
Wanabo 10
www.probemyip.com/probe-my-ip-80x15.png
pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
  • Senior Member, joined since
  • Contributed 598 posts on the community forums.
  • Started 94 threads in the forums
answered
Senior Member

I was more thinking of:

[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]
if ($global['link_visability'] != 0) {
redirect("index.php"wink;
}[/syntaxhighlighter]

NOT TESTED

But then you have to modify all files which you want to protect. Perhaps something for a next version.

Your solution is easier.
0 replies
M
mlynchl
M
  • Junior Member, joined since
  • Contributed 10 posts on the community forums.
  • Started 2 threads in the forums
  • Started this discussions
answered
Junior Member

I've been working on a file that tests the database link_visibility against the users user_level and user_group. Obviously we don't want users not a part of a cirtain group to have access to pages only for that group...

My file gets included in the maincore.php file and the page redirection seems to work for guests so far... Here's what I have that works:
require_once "pgdeny.php";

I use HTMLKit, and I added this to line 1533 which is after all iMEMBER iGUEST settings are checked.

This is in the pgdeny.php that works for guests so far, I'm not including what I have been working on for members yet...
<?php

if (!defined("IN_FUSION")) { die("Access Denied"); }

$furl = FUSION_SELF;
$auser = $userdata['user_name'];

$getgid = dbquery(
   "SELECT link_name, link_url, link_visibility FROM ".DB_SITE_LINKS."
   WHERE link_url='$furl'"
   
);
$gid = dbarray($getgid);
$puid = $gid['link_visibility'] ;

$getugid = dbquery(
  "SELECT user_groups, user_level FROM ".DB_USERS."
   WHERE user_name='$auser'"
   );
   
$gotuid = dbarray($getugid);
$ulid = $gotuid['user_level'];
$ugid = substr($gotuid['user_groups'],1);

//$puid = The page visibility ID

//$ugid = The user GROUP ID

//$ulid = The user LEVEL ID
if (iGUEST) {
  if ($puid > '0')
   redirect("index.php");
}
?>


I'm having trouble with the operators and what not for iMEMBER / iUSER_GROUPS... I'm not a coder and the above took almost 16hrs just to get guests to work....

The other issue is getting the links that FUSION_SELF doesn't get, like infusions/aw_ecal_panel/calendar.php?cal=month&
FUSION_SELF only gets the first file name like news.php or articles.php...

I apreciate everyone helping out on this, I think once we get PHP_Fusion secured, we'll have more peace of mind! lol

BTW, feel free to add to my code... I'm not a huge license freak, but I'll be adding the right notices to the files once its final :)
0 replies
J
JoiNNN
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
answered
Veteran Member

Quote

mlynchl wrote:

The other issue is getting the links that FUSION_SELF doesn't get, like infusions/aw_ecal_panel/calendar.php?cal=month&
FUSION_SELF only gets the first file name like news.php or articles.php...


This is what you are looking for:
echo TRUE_PHP_SELF.(FUSION_QUERY ? "?".FUSION_QUERY : ""wink;

Having a url like this: somesite.com/fusion/forum/viewthread.php?thread_id=1&pid=2
- TRUE_PHP_SELF will get /forum/viewthread.php
- (FUSION_QUERY ? "?".FUSION_QUERY : ""wink will get ?thread_id=1&pid=2
and combined you get /forum/viewthread.php?thread_id=1&pid=2

Have a look in /themes/templates/panels.php for more code examples, you'll find exactly what you are looking for there.
0 replies
T
Tyler
T
Tyler 10
Helping, would be pointing you in the right direction, not doing it all for you.
  • Member, joined since
  • Contributed 198 posts on the community forums.
  • Started 3 threads in the forums
answered
Member

Or just use FUSION_REQUEST
0 replies
J
JoiNNN
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
answered
Veteran Member

FUSION_REQUEST is better if you have Fusion installed in main folder.
Given the example above FUSION_REQUEST will result as /fusion/forum/viewthread.php?thread_id=1&pid=2
0 replies
M
mlynchl
M
  • Junior Member, joined since
  • Contributed 10 posts on the community forums.
  • Started 2 threads in the forums
  • Started this discussions
answered
Junior Member

Well so far what I have works for guests, members and members part of a group, however there is something not working right when I try to use FUSION_REQUEST or TRUE_PHP_SELF as the database search, I used echo to view these and they start with a / so I had that removed using substr but still didn't work... So for now, what I have will work on PHP_Fusion's main pages that doesn't have a directory included in the link, like forum/index.php, but works on everything else like faq.php and contact.php

As above, add this to line 1533 in maincore.php

require_once "pgdeny.php";

And add this to pgdeny.php in the main fusion folder.

<?php

if (!defined("IN_FUSION")) { die("Access Denied"); }

if ((!iSUPERADMIN) || (!iADMIN)) {

$furl = FUSION_SELF;
$auser = $userdata['user_name'];


$getgid = dbquery(
   "SELECT link_name, link_url, link_visibility FROM ".DB_SITE_LINKS."
   WHERE link_url='$furl'"
   
);
$gid = dbarray($getgid);
$puid = $gid['link_visibility'] ;

$getugid = dbquery(
  "SELECT user_groups, user_level FROM ".DB_USERS."
   WHERE user_name='$auser'"
   );
   
$gotuid = dbarray($getugid);
$ulid = $gotuid['user_level'];
$ugid = substr($gotuid['user_groups'],1);

//$puid = The page visibility ID

//$ugid = The user GROUP ID

//$ulid = The user LEVEL ID

if (iGUEST) {
  if ($puid > '0')
   redirect("index.php");
}
if ((iMEMBER) && (!iUSER_GROUPS)){
    if ($puid > '0' && $puid < '101')
   
    redirect("index.php");
   
    if ($puid > $ulid) redirect("index.php");
}
if (iUSER_GROUPS) {
    if ($puid > '0' && $puid < '101') {

          if ($ugid != $puid)
         redirect("index.php");
         }
         if ($puid > '101')
         redirect("index.php");
}
}
?>


Please feel free to add more input and inform me of any glitches. Like I said, I know it doesn't work for custom pages and any links that lead to a directory/file

I have tried the examples you all gave me to replace FUSION_SELF but for some reason the mySQL database isn't accepting those either, so feel free to play with the code!

Thank you everyone for your help!

PS at least this code will keep guests from sending messages via Contact.php!
Edited by mlynchl on 27-03-2012 18:15,
0 replies
S
smokeman
S
  • Veteran Member, joined since
  • Contributed 920 posts on the community forums.
  • Started 79 threads in the forums
answered
Veteran Member

Quote

JoiNNN wrote:

Installation:
- place this file in /includes/ folder
- open /includes/header_includes.php file and add: include INCLUDES."disable_pages.php";
- go to Settings > Main, click Enable button on 'Disable Pages' section and add your pages


Hi JoiNNN.

I done what you wrote but I can't see the new field in Admin> Main

I get an error in the log on all adminpages too, except on the mainsettings page:

Quote

Use of undefined constant TRUE_PHP_SELF - assumed 'TRUE_PHP_SELF' Linje: 28
0 replies
J
JoiNNN
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
answered
Veteran Member

@smokeman
I've wrote/tested the code on 7.02.04, haven't tested other versions.

About the error, TRUE_PHP_SELF is defined in the maincore.php, if you get an undefined error you might have an older version of Fusion.
Edited by JoiNNN on 27-03-2012 19:33,
0 replies
M
mlynchl
M
  • Junior Member, joined since
  • Contributed 10 posts on the community forums.
  • Started 2 threads in the forums
  • Started this discussions
answered
Junior Member

Quote

JoiNNN wrote:

@smokeman
I've wrote/tested the code on 7.02.04, haven't tested other versions.


I guess I should point out that the code I provided is also only tested and used for version 7.2.4 as well...

Thanks JoiNNN!!
0 replies
J
JoiNNN
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
answered
Veteran Member

Quote

mlynchl wrote:

Well so far what I have works for guests, members and members part of a group, however there is something not working right when I try to use FUSION_REQUEST or TRUE_PHP_SELF as the database search, I used echo to view these and they start with a / so I had that removed using substr but still didn't work... So for now, what I have will work on PHP_Fusion's main pages that doesn't have a directory included in the link, like forum/index.php, but works on everything else like faq.php and contact.php


@mlynchl
You ignored my post here.
Always look thru core files for code snippets and how they do stuff.

Here is the complete code to restrict pages based on link visibility, place it inside includes/header_includes.php
[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]$page = TRUE_PHP_SELF.(FUSION_QUERY ? "?".FUSION_QUERY : ""wink;
$page = preg_replace('/\//', '', $page, 1); // remove first slash

$result = dbquery("
SELECT link_url, link_visibility FROM ".DB_SITE_LINKS."
WHERE link_url LIKE '%".$page."'
AND link_url NOT LIKE '---'
AND link_url NOT LIKE '%tp%://%'
"wink;

if (dbrows($result)) {
while ($data = dbarray($result)) {
if (!checkgroup($data['link_visibility'])) {
redirect(BASEDIR."index.php"wink;
}
}
}[/syntaxhighlighter]
_______
For those still interested in disabling certain pages/sections of the site should also have at this addon by Philip.
Remember to change TYPE=MyISAM to ENGINE=MyISAM in infusion.php if you are getting any errors.
_______
Edited by JoiNNN on 29-03-2012 22:09,
0 replies

Labels

None yet

Statistics

  • Views 0 views
  • Posts 15 posts
  • Votes 0 votes
  • Topic users 6 members

6 participants

G
G
ginny 10
  • Member, joined since
  • Contributed 80 posts on the community forums.
  • Started 31 threads in the forums
W
W
Wanabo 10
www.probemyip.com/probe-my-ip-80x15.png
pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
  • Senior Member, joined since
  • Contributed 598 posts on the community forums.
  • Started 94 threads in the forums
S
S
  • Veteran Member, joined since
  • Contributed 920 posts on the community forums.
  • Started 79 threads in the forums
J
J
JoiNNN 10
  • Veteran Member, joined since
  • Contributed 850 posts on the community forums.
  • Started 100 threads in the forums
T
T
Tyler 10
Helping, would be pointing you in the right direction, not doing it all for you.
  • Member, joined since
  • Contributed 198 posts on the community forums.
  • Started 3 threads in the forums
M
M
  • Junior Member, joined since
  • Contributed 10 posts on the community forums.
  • Started 2 threads in the forums
  • Started this discussions

Notifications

Track thread

You are not receiving notifications from this thread.

Related Questions

Not yet