adrian

Page Protector

Recommended Posts

16 minutes ago, adrian said:

If everyone has the same login username, then absolutely - that is what the session login throttle is designed to do. I think your quickest solution will be to disable the SessionLoginThrottle module.

Just wanted to get that option to you quickly - I'll post some better solutions in a minute.

I just testet it and now it seems to work fine!
Thanks for your support! 
I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

Share this post


Link to post
Share on other sites
1 minute ago, jploch said:

I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

No, you shouldn't leave it deactivated - it is designed to reduce dictionary login attacks.

I have just messaged Ryan to see if I can find out more about the behavior of the module also recording successful logins. If that can't be changed, then you may need to set up your own access control if you want to give all users just one login account. Stay tuned - I don't want to send you down the path of setting up something else until I hear from Ryan about the behavior of this module.

  • Like 2

Share this post


Link to post
Share on other sites

Around line 672 when checking template files you could add the $config->templateExtension too, eg.

if (!$item->isDir() && in_array(pathinfo($item, PATHINFO_EXTENSION), array(wire('config')->templateExtension, 'php', 'inc'))) {

This allows selecting twig/latte/etc files from the module settings.

However I'm still trying to figure out why $loginForm is not available for me (using Latte). Surely it's something in my code, but any chance to add $loginform to page, etc. $this->wire('page')->loginForm = $loginForm (before line 291)? This would allow using the form anywhere in the selected template. I'm using this now and it's working fine.

 

pplf1.png

  • Like 1

Share this post


Link to post
Share on other sites

@adrian

How about adding "required" html5 attributes to username/pass input fields? Plus updated the above screenshot to a non-stock login form :)

  • Like 3

Share this post


Link to post
Share on other sites

Hi @tpr - I have made all those requested changes and also several other updates to the module. Please let me know if you find any problems.

 

  • Like 2

Share this post


Link to post
Share on other sites

Great, thanks! Everything's working fine at first look.

$p->loginForm = $loginForm; // added to allow support for latte

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level). I've added session redirects to solve it temporarily but I'm curious if this happens for others too.

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

Share this post


Link to post
Share on other sites
2 minutes ago, tpr said:

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Sure, it's just a little weird though as $loginForm should work everywhere in regular templates - at least it has in my testing.

 

3 minutes ago, tpr said:

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level).

No problem here - would you mind doing a little testing in the isProtected() function to see where it might be failing. Is $pagesToCheck including the parent which is protected? Is $this->matchedParent being populated with this page? etc

 

9 minutes ago, tpr said:

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

This module is designed to protect access to pages - I am not sure that it should actually prevent pages from being found. I am happy to revisit though if you think otherwise - it should be easy enough to do.

  • Like 1

Share this post


Link to post
Share on other sites

Ok, I'll check what could cause child pages being accessible, probably a few days later.

If it's not too complicated I would welcome an option to exclude protected pages from being found. If I lock a room for a reason I don't want anyone to sneak in through the window :)

  • Like 2

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

If I lock a room for a reason I don't want anyone to slip in through the window

Yeah, but they won't be able to get in the window, they'll just be able to see the curtains :) 

I would think you'd still want your users to be able to search for the members area - no?

Share this post


Link to post
Share on other sites

Sure, they could only have a peek :)

In this particular project it's not relevant if users could find the Members Area or not, but in general yes, it should be findable.

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

but in general yes, it should be findable

So doesn't that mean that you agree that there isn't a need to prevent search from finding protected pages?

I guess perhaps it all depends on what you are returning on your search page - if you are providing a preview of some of the content, then I guess this becomes an issue. I guess I'll make it configurable.

BTW - thanks for looking into the child pages issue - I can't imagine why it's not working at your end.

Share this post


Link to post
Share on other sites

Yes, it depends. Perhaps only its title should be findable though I guess this adds another level of complexity. Does the module add a page property eg isProtected to let devs handle this? Sorry I can't look into the code atm.

What's more important imo is to exclude child pages from search, if they are also protected. Perhaps the abovementioned isProtected property could help here too.

  • Like 2

Share this post


Link to post
Share on other sites

@tpr - I am attaching a new version of the module which rejigs things a bit. It now lets you do:

if($page->protected()) {

It returns false or the id of the page that is protecting the checked page, which could be itself, or the closest protected parent.

This should let you handle your search results however you want. 

I thought about automatically removing protected pages from results, but I think there are just too many contingencies to do it this way - I think it makes more sense to let the dev handle it via protected()

Please let me know how this goes and also if it by chance fixes your issue with child pages not being protected.

 

PageProtector.zip

  • Like 3

Share this post


Link to post
Share on other sites

Thanks!

Search results

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query, where search results are populated. This leads to improper number of results if I exclude pages when outputting the results list, or if I filter them in memory beforehands then pagination will broke. This is no surprise because $page->protected is not a page field so I cannot use "protected=''" in the selector. I've tried using addHookProperty but $pages->find() doesn't respect that ($page->protected worked fine though).

Anyway, I can live with it - but please correct me if I'm missing something.

Child pages

In case of child page protection I found that if I set no template in the module settings, then the protected child page loads with the loginForm, which is the expected behaviour. This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect:

if ($page->id !== $memberLoginPage->id && $page->protected() && !($user->isSuperUser() || $user->hasRole('member'))) {
    $session->redirect($memberLoginPage->url);
    $this->halt();
}

Would it be possible to have an option under "Protect child pages" like "Redirect to protected parent on direct access"?

  • Like 3

Share this post


Link to post
Share on other sites

Hey @tpr - thanks for the report.

I'll take a look at the issue with protected() and trying to make the property available in find() selectors - not sure if this is possible or not.

Regarding the child issue - it is working here if use the default login form and also if I choose a login template - that is both options seem to be working fine. Perhaps it's a Latte issue when using wireRenderFile like I am around line 304 ?

1 hour ago, tpr said:

This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect

I don't really understand this - users should see the same login form no matter what page they try to visit (because it renders the template you have chosen) - I don't see any reason to redirect - again, maybe a latte issue? Any chance you could try the module without latte just to see if everything works as expected? Maybe I am still not understanding though?

  • Like 1

Share this post


Link to post
Share on other sites

@tpr - just had a quick play with a protected property and selectors. Runtime properties only work with in memory page arrays, so you would have to do:

$allResults = $pages->find("template=basic-page");
$notProtectedResults = $allResults->find("protected=0");

I think you already figured this out :)

Anyway, that example works with the attached version.

What are your thoughts on the best approach here? 

 

 

PageProtector.zip

  • Like 2

Share this post


Link to post
Share on other sites
5 hours ago, tpr said:

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Share this post


Link to post
Share on other sites
2 minutes ago, Robin S said:

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Yeah,  I was hoping to avoid that - I never like polluting all templates with settings type fields if I can avoid it, but maybe in this case it is the only option. I guess if it's set to hidden and system so it can't be manually deleted (but deletion is taken care of during module uninstall), and its checked status would be toggled when checking the "Protect this page" checkbox on the Settings tab, then it wouldn't be too invasive. The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Share this post


Link to post
Share on other sites
4 minutes ago, adrian said:

Yeah,  I was hoping to avoid that

Sorry, I wasn't proposing that as a module feature - just a suggestion for @tpr to consider. I think it's something that most users don't need so I agree it shouldn't be implemented by the module.

7 minutes ago, adrian said:

The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Rather than do that I was thinking a person would use has_parent in their $pages->find() selector.

$page_protects_children = implode('|', $pages->findIDs("protect_children=1"));
$results = $pages->find("has_parent!=$page_protects_children"); // actual selector would have more conditions

 

  • Like 1

Share this post


Link to post
Share on other sites

Adding a field manually should work, thanks. As I wrote, memory selectors would make pagination to fail, but with the extra field it will be OK. I only need to add it to the protected parent and use has_parent.

I'll check the child issue without latte too.

I need the redirect because if one tries to access a child page by knowing its url, I would like redirect him to the protected parent. This page has different template with the login form.

  • Like 1

Share this post


Link to post
Share on other sites

Child page protection is kinda working OK but there's an issue if you select a login template and use fields that are also available on the child pages, eg. $page->body, which is quite common. Sensitive data may be rendered (eg. with $page->body), because the actual (child) page fields are passed to the login template file.

One needs to check $page->loginForm (or $loginform, $page->protected/protected()) and display the form or other page content. In such cases a redirect to protected parent (the login page) would be safer.

Btw you uploaded the "ProtectedMode" module here, is that intentional?

ppcp.gif

ppcpt.png

Share this post


Link to post
Share on other sites
12 minutes ago, tpr said:

OK but there's an issue if you select a login template and use fields that are also available on the child pages

That's not the intention of this approach - the login template you select should be a dedicated template file (it shouldn't really even have a PW template associated with it). The only thing it should echo is the head, footer, etc and $loginForm - that is it! I believe if you follow that approach everything should work as expected and be secure with no need to redirect. Sorry if that's not clear.

 

12 minutes ago, tpr said:

Btw you uploaded the "ProtectedMode" module here, is that intentional?

Sorry about that - silly mistake - I have now replaced it with the PageProtector version I was referencing.

 

 

Share this post


Link to post
Share on other sites

Thanks, that wasn't clear to me reading the module description/notes fields. Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page. Maybe it's only me but perhaps a warning text could be added to the description field to not to place other dynamic content to this template file?

Btw, if I would like to add multi-language content before the $loginForm do I need to use $myLoginPage->body or is there another way? (this was the purpose of using $page->body in my login template, having a dynamic text coming from the admin).

Share this post


Link to post
Share on other sites
16 hours ago, tpr said:

Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page.

Perhaps I should add another variable ($ppid - protected page id) to the array that is passed to wireRenderFile. This would be the id of the page that is protected, whether that is the current page, or the parent which is protecting it. That way you could do a $pages->get($ppid)->body to get the appropriate text. Would that be useful? Attached version has this if you want to try it out.

Does that idea also help with your multi-language content question? I don't think I am totally following what you need there.

PageProtector.zip

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By bernhard
      WHY?
      This module was built to fill the gap between simple $pages->find() operations and complex SQL queries.
      The problem with $pages->find() is that it loads all pages into memory and that can be a problem when querying multiple thousands of pages. Even $pages->findMany() loads all pages into memory and therefore is a lot slower than regular SQL.
      The problem with SQL on the other hand is, that the queries are quite complex to build. All fields are separate tables, some repeatable fields use multiple rows for their content that belong to only one single page, you always need to check for the page status (which is not necessary on regular find() operations and therefore nobody is used to that).
      In short: It is far too much work to efficiently and easily get an array of data based on PW pages and fields and I need that a lot for my RockGrid module to build all kinds of tabular data.

      Basic Usage

       
      Docs & Download
      https://modules.processwire.com/modules/rock-finder/
      https://gitlab.com/baumrock/RockFinder/tree/master
       
      Changelog
      180817, v1.0.6, support for joining multiple finders 180810, v1.0.5, basic support for options fields 180528, v1.0.4, add custom select statement option 180516, change sql query method, bump version to 1.0.0 180515, multilang bugfix 180513, beta release <180513, preview/discussion took place here: https://processwire.com/talk/topic/18983-rocksqlfinder-highly-efficient-and-flexible-sql-finder-module/
    • By OLSA
      Hello for all,
      ConfigurationForm fieldtype module is one my experiment from 2016.
      Main target to build this module was to store multiple setup and configuration values in just 1 field and avoid to use 1 db table to store just single "number of items on page", or another db table to store "layout type" etc. Thanks to JSON formatted storage this module can help you to reduce number of PW native fields in project, save DB space, and reduce number of queries at front-end.
      Install and setup:
      Download (at the bottom ), unzip and install like any other PW module (site/modules/...). Create some filed using this type of field (ConfigurationForm Fieldtype) Go to field setup Input tab and drag some subfields to container area (demo). Set "Name" and other params for subfields Save and place field to templates ("Action tab") How to use it:
      In my case, I use it to store setup and configurations values, but also for contact details, small content blocks... (eg. "widgets").
      Basic usage example:
      ConfigForm fieldtype "setup" has subfields:
      "limit", type select, option values: 5, 10, 15, 20
      "sort", type select, option values: "-date", "date",  "-sort", "sort"
      // get page children (items) $limit = isset($page->setup->limit) ? $page->setup->limit : 10; $sort = isset($page->setup->sort) ? $page->setup->sort : '-sort'; $items = $page->children("limit=$limit, sort=$sort");  
      Screenshots:


       
      Notes:
      Provide option to search inside subfields Provide multilanguage inputs for text and textarea field types Provide option for different field layout per-template basis Do not place/use field type "Button" or "File input" because it won't works. Please read README file for more details and examples Module use JSON format to store values. Text and textarea field types are multilanguage compatible, but please note that main target for this module was to store setup values and small content blocks and save DB space. Search part inside JSON is still a relatively new in MySQL (>=5.77) and that's on you how and for what to use this module.
      Thanks:
      Initial point for this fieldtype was jQuery plugin FormBuiled and thanks to Kevin Chappel for this plugin.
      In field type "link" I use javascript part from @marcostoll module and thanks to him for that part.
      Download:
      FieldtypeConfigForm.zip
      Edit: 14. August 2018. please delete/uninstall previously downloaded zip
      Regards.
         
    • By bernhard
      @Sergio asked about the pdf creation process in the showcase thread about my 360° feedback/survey tool and so I went ahead and set my little pdf helper module to public.
      Description from PW Weekly:
       
      Modules Directory: https://modules.processwire.com/modules/rock-pdf/
      Download & Docs: https://gitlab.com/baumrock/RockPdf
       
      You can combine it easily with RockReplacer: 
      See also a little showcase of the RockPdf module in this thread:
       
    • By Thomas Diroll
      Hi guys I'm relatively new to PW and just finished developing a page for a client. I was able to include all necessary functionality using the core fieldtypes but now I it seems that I need to extend them with a custom one. What I need is a simple button, that copies the absolute url (frontend not PW-backend) of the page which is currently edited to the clipboard. As this feature is only needed inside a specific template, I tend to use a custom fieldtype which provides this feature. I've been looking inside the core modules code (eg. FieldtypeCheckbox.module) but I don't really get the structure of it and how its rendered to the admin page. I also didn't find a lot of tutorials covering custom fieldtypes.
      Maybe some of you could give me some tips on how to write a basic custom fieldtype that renders a button which copies the value of
      page->httpUrl() to the clipboard using JS. Thanks!
    • By bernhard
      Some of you might have followed the development of this module here: https://processwire.com/talk/topic/15524-previewdiscussion-rockdatatables/ . It is the successor of "RockDataTables" and requires RockFinder to get the data for the grid easily and efficiently. It uses the open source part of agGrid for grid rendering.
       
      WHY?
      ProcessWire is awesome for creating all kinds of custom backend applications, but where it is not so awesome in my opinion is when it comes to listing this data. Of course we have the built in page lister and we have ListerPro, but none of that solutions is capable of properly displaying large amounts of data, for example lists of revenues, aggregations, quick and easy sorts by the user, instant filter and those kind of features. RockGrid to the rescue 😉 
       
      Features/Highlights:
      100k+ rows Instant (client side) filter, search, sort (different sort based on data type, eg "lower/greater than" for numbers, "contains" for strings) extendable via plugins (available plugins at the moment: fullscreen, csv export, reload, batch-processing of data, column sum/statistics, row selection) all the agGrid features (cell renderers, cell styling, pagination, column grouping etc) vanilla javascript, backend and frontend support (though not all plugins are working on the frontend yet and I don't plan to support it as long as I don't need it myself)  
      Limitations:
      While there is an option to retrieve data via AJAX the actual processing of the grid (displaying, filtering, sorting) is done on the client side, meaning that you can get into troubles when handling really large datasets of several thousands of rows. agGrid should be one of the most performant grid options in the world (see the official example page with a 100k row example) and does a lot to prevent problems (such as virtual row rendering), but you should always have this limitation in mind as this is a major difference to the available lister options that do not have this limitation.
      Currently it only supports AdminThemeUikit and I don't plan to support any other admin theme.
       
      Download: https://gitlab.com/baumrock/RockGrid
      Installation: https://gitlab.com/baumrock/RockGrid/wikis/Installation
      Quikckstart: https://gitlab.com/baumrock/RockGrid/wikis/quickstart
      Further instructions: https://gitlab.com/baumrock/RockGrid/wikis/quickstart#further-instructions
       
      Module status: alpha, License: MIT
      Note that every installation and uninstallation sends an anonymous google analytics event to my google analytics account. If you don't want that feel free to remove the appropriate lines of code before installation/uninstallation.
       
      Contribute:
      You can contribute to the development of this and other modules or just say thank you by
      testing, reporting issues and making PRs at gitlab liking this post buying me a drink: paypal.me/baumrock/5 liking my facebook page: facebook.com/baumrock hiring me for pw work: baumrock.com  
      Support: Please note that this module might not be as easy and plug&play as many other modules. It needs a good understanding of agGrid (and JavaScript in general) and it likely needs some looks into the code to get all the options. Please understand that I can not provide free support for every request here in the forum. I try to answer all questions that might also help others or that might improve the module but for individual requests I offer paid support for 60€ per hour.
       
      Changelog
      180730 support subdir installations 180711 bugfix (naming issue) 180630 alpha realease  
      Use Cases / Examples:
      Colored grid cells, Icons, Links etc. The Grid also has a "batcher" feature built in that helps communicating with the server via AJAX and managing resource intensive tasks in batches:

      Filters, PW panel links and instant reload on panel close:

      You can combine the grid with a chart library like I did with the (outdated) RockDataTables module: