Hiding Links Has No Purpose (other than not shown): The Chill Out Zone

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

I just found out that hiding links doesn't resolve the issue of not allowing people to view the page the link refers to. e.g.

Contact Me(Us) page link is set to view only by Members and above, yet, a guest can simply type in websiteaddress/contact.php and still access the page to send spam mail if they want!

One of the big reasons for 'hiding' something from someone is to keep them from viewing what you're hiding! Concidering how long PHPFusion has been around, I'm sure the usual hackers/spammers know every link by heart...

Other than using:

Code Download source


if (!iMEMBER) {
   redirect("index.php");
}

each time I choose to change the view on a link/page is there another code that could be used globally with the link on/off or group view switch?

Thanks! :)

0 replies

very interesting and I checked, your right.
-g

0 replies

Visibility on links does what it says it does, thus it fulfills its purpose.
In other words, is meant to hide some links in the navigation panel and not the pages themselves, is not meant to do that.

However what you ask for will probably be available in the next versions.
If not, it would pretty easy to do it as an infusion, no core mods and stuff, I'll look in to it.

Edited by JoiNNN on 23-03-2012 07:06, 12 y

0 replies

Sounds good to me JoiNNN...
I understand the intent of 'hiding' links, but security wise its an issue. We need to have more control over who can see what. After all, not allowing guests to see the member list works, the guest gets redirected when trying to force view member.php...

PHPFusion is by far the most easy CMS to work with, thus why its going to be the most recommended for my business clients! However, on the down side, I can't sell an unsecure product thats simple and easy to use if there is no control over who can do what... Know what I mean?

Anywho, I'll be looking forward to the next release and any code snippits anyone can provide for the mean time :)

0 replies

It should be logical when you make contact.php only visable for members in your site links (admin panel) the contact.php cannot accessed directly by guests.

It should be easy to alter all files that are accessed with a line of code that checks the database field "link_visability" in table site_links. And according to grant access according to that settings.

I probably can come up with something, but it will take much time because I'm not a gifted coder. Coder experts think of something in 5 minutes.

I'm a control freak so controlling visibility to links/files in the navigation panel (site links) really should also be controlling access to the files.

0 replies

Ok, I've been working something out, hope you'll find it useful.
- You add the pages as you do with panels exclusion on certain pages.
- Users will get redirected on main page when accessing a disabled page. However SuperAdmins still can access those pages and a warning message will be displayed.

[Download file]

Installation:
- place this file in /includes/ folder
- open /includes/header_includes.php file and add: include INCLUDES."disable_pages.php";
- go to Settings > Main, click Enable button on 'Disable Pages' section and add your pages

JoiNNN attached the following file:

disable_pages.zip [No information available / 415 Downloads]

0 replies

I was more thinking of:

[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]
if ($global['link_visability'] != 0) {
redirect("index.php"

;
}[/syntaxhighlighter]

NOT TESTED

But then you have to modify all files which you want to protect. Perhaps something for a next version.

Your solution is easier.

0 replies

I've been working on a file that tests the database link_visibility against the users user_level and user_group. Obviously we don't want users not a part of a cirtain group to have access to pages only for that group...

My file gets included in the maincore.php file and the page redirection seems to work for guests so far... Here's what I have that works:

Code Download source

require_once "pgdeny.php";

I use HTMLKit, and I added this to line 1533 which is after all iMEMBER iGUEST settings are checked.

This is in the pgdeny.php that works for guests so far, I'm not including what I have been working on for members yet...

Code Download source

<?php

if (!defined("IN_FUSION")) { die("Access Denied"); }

$furl = FUSION_SELF;
$auser = $userdata['user_name'];

$getgid = dbquery(
   "SELECT link_name, link_url, link_visibility FROM ".DB_SITE_LINKS."
   WHERE link_url='$furl'"
   
);
$gid = dbarray($getgid);
$puid = $gid['link_visibility'] ;

$getugid = dbquery(
  "SELECT user_groups, user_level FROM ".DB_USERS."
   WHERE user_name='$auser'"
   );
   
$gotuid = dbarray($getugid);
$ulid = $gotuid['user_level'];
$ugid = substr($gotuid['user_groups'],1);

//$puid = The page visibility ID

//$ugid = The user GROUP ID

//$ulid = The user LEVEL ID
if (iGUEST) {
  if ($puid > '0') 
   redirect("index.php");
}
?>

I'm having trouble with the operators and what not for iMEMBER / iUSER_GROUPS... I'm not a coder and the above took almost 16hrs just to get guests to work....

The other issue is getting the links that FUSION_SELF doesn't get, like infusions/aw_ecal_panel/calendar.php?cal=month&
FUSION_SELF only gets the first file name like news.php or articles.php...

I apreciate everyone helping out on this, I think once we get PHP_Fusion secured, we'll have more peace of mind! lol

BTW, feel free to add to my code... I'm not a huge license freak, but I'll be adding the right notices to the files once its final :)

0 replies

Quote

mlynchl wrote:

The other issue is getting the links that FUSION_SELF doesn't get, like infusions/aw_ecal_panel/calendar.php?cal=month&
FUSION_SELF only gets the first file name like news.php or articles.php...

This is what you are looking for:
echo TRUE_PHP_SELF.(FUSION_QUERY ? "?".FUSION_QUERY : "";

Having a url like this: somesite.com/fusion/forum/viewthread.php?thread_id=1&pid=2
- TRUE_PHP_SELF will get /forum/viewthread.php
- (FUSION_QUERY ? "?".FUSION_QUERY : ""

will get ?thread_id=1&pid=2
and combined you get /forum/viewthread.php?thread_id=1&pid=2

Have a look in /themes/templates/panels.php for more code examples, you'll find exactly what you are looking for there.

0 replies

Or just use FUSION_REQUEST

0 replies

FUSION_REQUEST is better if you have Fusion installed in main folder.
Given the example above FUSION_REQUEST will result as /fusion/forum/viewthread.php?thread_id=1&pid=2

0 replies

Well so far what I have works for guests, members and members part of a group, however there is something not working right when I try to use FUSION_REQUEST or TRUE_PHP_SELF as the database search, I used echo to view these and they start with a / so I had that removed using substr but still didn't work... So for now, what I have will work on PHP_Fusion's main pages that doesn't have a directory included in the link, like forum/index.php, but works on everything else like faq.php and contact.php

As above, add this to line 1533 in maincore.php

Code Download source


require_once "pgdeny.php";

And add this to pgdeny.php in the main fusion folder.

Code Download source


<?php

if (!defined("IN_FUSION")) { die("Access Denied"); }

if ((!iSUPERADMIN) || (!iADMIN)) {

$furl = FUSION_SELF;
$auser = $userdata['user_name'];


$getgid = dbquery(
   "SELECT link_name, link_url, link_visibility FROM ".DB_SITE_LINKS."
   WHERE link_url='$furl'"
   
);
$gid = dbarray($getgid);
$puid = $gid['link_visibility'] ;

$getugid = dbquery(
  "SELECT user_groups, user_level FROM ".DB_USERS."
   WHERE user_name='$auser'"
   );
   
$gotuid = dbarray($getugid);
$ulid = $gotuid['user_level'];
$ugid = substr($gotuid['user_groups'],1);

//$puid = The page visibility ID

//$ugid = The user GROUP ID

//$ulid = The user LEVEL ID

if (iGUEST) {
  if ($puid > '0') 
   redirect("index.php");
}
if ((iMEMBER) && (!iUSER_GROUPS)){
    if ($puid > '0' && $puid < '101')
    
    redirect("index.php");
    
    if ($puid > $ulid) redirect("index.php");
}
if (iUSER_GROUPS) {
    if ($puid > '0' && $puid < '101') {

          if ($ugid != $puid) 
         redirect("index.php");
         }
         if ($puid > '101')
         redirect("index.php");
}
}
?>

Please feel free to add more input and inform me of any glitches. Like I said, I know it doesn't work for custom pages and any links that lead to a directory/file

I have tried the examples you all gave me to replace FUSION_SELF but for some reason the mySQL database isn't accepting those either, so feel free to play with the code!

Thank you everyone for your help!

PS at least this code will keep guests from sending messages via Contact.php!

Edited by mlynchl on 27-03-2012 19:15, 12 y

0 replies

Quote

JoiNNN wrote:

Installation:
- place this file in /includes/ folder
- open /includes/header_includes.php file and add: include INCLUDES."disable_pages.php";
- go to Settings > Main, click Enable button on 'Disable Pages' section and add your pages

Hi JoiNNN.

I done what you wrote but I can't see the new field in Admin> Main

I get an error in the log on all adminpages too, except on the mainsettings page:

Quote

Use of undefined constant TRUE_PHP_SELF - assumed 'TRUE_PHP_SELF' Linje: 28

0 replies

@smokeman
I've wrote/tested the code on 7.02.04, haven't tested other versions.

About the error, TRUE_PHP_SELF is defined in the maincore.php, if you get an undefined error you might have an older version of Fusion.

Edited by JoiNNN on 27-03-2012 20:33, 12 y

0 replies

Quote

JoiNNN wrote:

@smokeman
I've wrote/tested the code on 7.02.04, haven't tested other versions.

I guess I should point out that the code I provided is also only tested and used for version 7.2.4 as well...

Thanks JoiNNN!!

0 replies

Quote

mlynchl wrote:

Well so far what I have works for guests, members and members part of a group, however there is something not working right when I try to use FUSION_REQUEST or TRUE_PHP_SELF as the database search, I used echo to view these and they start with a / so I had that removed using substr but still didn't work... So for now, what I have will work on PHP_Fusion's main pages that doesn't have a directory included in the link, like forum/index.php, but works on everything else like faq.php and contact.php

@mlynchl
You ignored my post here.
Always look thru core files for code snippets and how they do stuff.

Here is the complete code to restrict pages based on link visibility, place it inside includes/header_includes.php
[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]$page = TRUE_PHP_SELF.(FUSION_QUERY ? "?".FUSION_QUERY : ""

;
$page = preg_replace('/\//', '', $page, 1); // remove first slash

$result = dbquery("
SELECT link_url, link_visibility FROM ".DB_SITE_LINKS."
WHERE link_url LIKE '%".$page."'
AND link_url NOT LIKE '---'
AND link_url NOT LIKE '%tp%://%'
"

;

if (dbrows($result)) {
while ($data = dbarray($result)) {
if (!checkgroup($data['link_visibility'])) {
redirect(BASEDIR."index.php"

;
}
}
}[/syntaxhighlighter]
_______
For those still interested in disabling certain pages/sections of the site should also have at this addon by Philip.
Remember to change TYPE=MyISAM to ENGINE=MyISAM in infusion.php if you are getting any errors.
_______

Edited by JoiNNN on 29-03-2012 23:09, 12 y

0 replies

Category Forum

Announcements & Security Issues

Labels

None yet

Statistics

Views 0 views
Posts 15 posts
Votes 0 votes
Topic users 6 members

6 participants

Notifications

Track thread

You are not receiving notifications from this thread.

Hiding Links Has No Purpose (other than not shown)

15 posts

PHPFusion

Resources

Community

Development