adrian

Page Protector

Recommended Posts

16 minutes ago, adrian said:

If everyone has the same login username, then absolutely - that is what the session login throttle is designed to do. I think your quickest solution will be to disable the SessionLoginThrottle module.

Just wanted to get that option to you quickly - I'll post some better solutions in a minute.

I just testet it and now it seems to work fine!
Thanks for your support! 
I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

Share this post


Link to post
Share on other sites
1 minute ago, jploch said:

I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

No, you shouldn't leave it deactivated - it is designed to reduce dictionary login attacks.

I have just messaged Ryan to see if I can find out more about the behavior of the module also recording successful logins. If that can't be changed, then you may need to set up your own access control if you want to give all users just one login account. Stay tuned - I don't want to send you down the path of setting up something else until I hear from Ryan about the behavior of this module.

  • Like 2

Share this post


Link to post
Share on other sites

Around line 672 when checking template files you could add the $config->templateExtension too, eg.

if (!$item->isDir() && in_array(pathinfo($item, PATHINFO_EXTENSION), array(wire('config')->templateExtension, 'php', 'inc'))) {

This allows selecting twig/latte/etc files from the module settings.

However I'm still trying to figure out why $loginForm is not available for me (using Latte). Surely it's something in my code, but any chance to add $loginform to page, etc. $this->wire('page')->loginForm = $loginForm (before line 291)? This would allow using the form anywhere in the selected template. I'm using this now and it's working fine.

 

pplf1.png

  • Like 1

Share this post


Link to post
Share on other sites

@adrian

How about adding "required" html5 attributes to username/pass input fields? Plus updated the above screenshot to a non-stock login form :)

  • Like 3

Share this post


Link to post
Share on other sites

Hi @tpr - I have made all those requested changes and also several other updates to the module. Please let me know if you find any problems.

 

  • Like 2

Share this post


Link to post
Share on other sites

Great, thanks! Everything's working fine at first look.

$p->loginForm = $loginForm; // added to allow support for latte

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level). I've added session redirects to solve it temporarily but I'm curious if this happens for others too.

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

Share this post


Link to post
Share on other sites
2 minutes ago, tpr said:

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Sure, it's just a little weird though as $loginForm should work everywhere in regular templates - at least it has in my testing.

 

3 minutes ago, tpr said:

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level).

No problem here - would you mind doing a little testing in the isProtected() function to see where it might be failing. Is $pagesToCheck including the parent which is protected? Is $this->matchedParent being populated with this page? etc

 

9 minutes ago, tpr said:

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

This module is designed to protect access to pages - I am not sure that it should actually prevent pages from being found. I am happy to revisit though if you think otherwise - it should be easy enough to do.

  • Like 1

Share this post


Link to post
Share on other sites

Ok, I'll check what could cause child pages being accessible, probably a few days later.

If it's not too complicated I would welcome an option to exclude protected pages from being found. If I lock a room for a reason I don't want anyone to sneak in through the window :)

  • Like 2

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

If I lock a room for a reason I don't want anyone to slip in through the window

Yeah, but they won't be able to get in the window, they'll just be able to see the curtains :) 

I would think you'd still want your users to be able to search for the members area - no?

Share this post


Link to post
Share on other sites

Sure, they could only have a peek :)

In this particular project it's not relevant if users could find the Members Area or not, but in general yes, it should be findable.

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

but in general yes, it should be findable

So doesn't that mean that you agree that there isn't a need to prevent search from finding protected pages?

I guess perhaps it all depends on what you are returning on your search page - if you are providing a preview of some of the content, then I guess this becomes an issue. I guess I'll make it configurable.

BTW - thanks for looking into the child pages issue - I can't imagine why it's not working at your end.

Share this post


Link to post
Share on other sites

Yes, it depends. Perhaps only its title should be findable though I guess this adds another level of complexity. Does the module add a page property eg isProtected to let devs handle this? Sorry I can't look into the code atm.

What's more important imo is to exclude child pages from search, if they are also protected. Perhaps the abovementioned isProtected property could help here too.

  • Like 2

Share this post


Link to post
Share on other sites

@tpr - I am attaching a new version of the module which rejigs things a bit. It now lets you do:

if($page->protected()) {

It returns false or the id of the page that is protecting the checked page, which could be itself, or the closest protected parent.

This should let you handle your search results however you want. 

I thought about automatically removing protected pages from results, but I think there are just too many contingencies to do it this way - I think it makes more sense to let the dev handle it via protected()

Please let me know how this goes and also if it by chance fixes your issue with child pages not being protected.

 

PageProtector.zip

  • Like 3

Share this post


Link to post
Share on other sites

Thanks!

Search results

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query, where search results are populated. This leads to improper number of results if I exclude pages when outputting the results list, or if I filter them in memory beforehands then pagination will broke. This is no surprise because $page->protected is not a page field so I cannot use "protected=''" in the selector. I've tried using addHookProperty but $pages->find() doesn't respect that ($page->protected worked fine though).

Anyway, I can live with it - but please correct me if I'm missing something.

Child pages

In case of child page protection I found that if I set no template in the module settings, then the protected child page loads with the loginForm, which is the expected behaviour. This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect:

if ($page->id !== $memberLoginPage->id && $page->protected() && !($user->isSuperUser() || $user->hasRole('member'))) {
    $session->redirect($memberLoginPage->url);
    $this->halt();
}

Would it be possible to have an option under "Protect child pages" like "Redirect to protected parent on direct access"?

  • Like 3

Share this post


Link to post
Share on other sites

Hey @tpr - thanks for the report.

I'll take a look at the issue with protected() and trying to make the property available in find() selectors - not sure if this is possible or not.

Regarding the child issue - it is working here if use the default login form and also if I choose a login template - that is both options seem to be working fine. Perhaps it's a Latte issue when using wireRenderFile like I am around line 304 ?

1 hour ago, tpr said:

This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect

I don't really understand this - users should see the same login form no matter what page they try to visit (because it renders the template you have chosen) - I don't see any reason to redirect - again, maybe a latte issue? Any chance you could try the module without latte just to see if everything works as expected? Maybe I am still not understanding though?

  • Like 1

Share this post


Link to post
Share on other sites

@tpr - just had a quick play with a protected property and selectors. Runtime properties only work with in memory page arrays, so you would have to do:

$allResults = $pages->find("template=basic-page");
$notProtectedResults = $allResults->find("protected=0");

I think you already figured this out :)

Anyway, that example works with the attached version.

What are your thoughts on the best approach here? 

 

 

PageProtector.zip

  • Like 2

Share this post


Link to post
Share on other sites
5 hours ago, tpr said:

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Share this post


Link to post
Share on other sites
2 minutes ago, Robin S said:

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Yeah,  I was hoping to avoid that - I never like polluting all templates with settings type fields if I can avoid it, but maybe in this case it is the only option. I guess if it's set to hidden and system so it can't be manually deleted (but deletion is taken care of during module uninstall), and its checked status would be toggled when checking the "Protect this page" checkbox on the Settings tab, then it wouldn't be too invasive. The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Share this post


Link to post
Share on other sites
4 minutes ago, adrian said:

Yeah,  I was hoping to avoid that

Sorry, I wasn't proposing that as a module feature - just a suggestion for @tpr to consider. I think it's something that most users don't need so I agree it shouldn't be implemented by the module.

7 minutes ago, adrian said:

The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Rather than do that I was thinking a person would use has_parent in their $pages->find() selector.

$page_protects_children = implode('|', $pages->findIDs("protect_children=1"));
$results = $pages->find("has_parent!=$page_protects_children"); // actual selector would have more conditions

 

  • Like 1

Share this post


Link to post
Share on other sites

Adding a field manually should work, thanks. As I wrote, memory selectors would make pagination to fail, but with the extra field it will be OK. I only need to add it to the protected parent and use has_parent.

I'll check the child issue without latte too.

I need the redirect because if one tries to access a child page by knowing its url, I would like redirect him to the protected parent. This page has different template with the login form.

  • Like 1

Share this post


Link to post
Share on other sites

Child page protection is kinda working OK but there's an issue if you select a login template and use fields that are also available on the child pages, eg. $page->body, which is quite common. Sensitive data may be rendered (eg. with $page->body), because the actual (child) page fields are passed to the login template file.

One needs to check $page->loginForm (or $loginform, $page->protected/protected()) and display the form or other page content. In such cases a redirect to protected parent (the login page) would be safer.

Btw you uploaded the "ProtectedMode" module here, is that intentional?

ppcp.gif

ppcpt.png

Share this post


Link to post
Share on other sites
12 minutes ago, tpr said:

OK but there's an issue if you select a login template and use fields that are also available on the child pages

That's not the intention of this approach - the login template you select should be a dedicated template file (it shouldn't really even have a PW template associated with it). The only thing it should echo is the head, footer, etc and $loginForm - that is it! I believe if you follow that approach everything should work as expected and be secure with no need to redirect. Sorry if that's not clear.

 

12 minutes ago, tpr said:

Btw you uploaded the "ProtectedMode" module here, is that intentional?

Sorry about that - silly mistake - I have now replaced it with the PageProtector version I was referencing.

 

 

Share this post


Link to post
Share on other sites

Thanks, that wasn't clear to me reading the module description/notes fields. Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page. Maybe it's only me but perhaps a warning text could be added to the description field to not to place other dynamic content to this template file?

Btw, if I would like to add multi-language content before the $loginForm do I need to use $myLoginPage->body or is there another way? (this was the purpose of using $page->body in my login template, having a dynamic text coming from the admin).

Share this post


Link to post
Share on other sites
16 hours ago, tpr said:

Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page.

Perhaps I should add another variable ($ppid - protected page id) to the array that is passed to wireRenderFile. This would be the id of the page that is protected, whether that is the current page, or the parent which is protecting it. That way you could do a $pages->get($ppid)->body to get the appropriate text. Would that be useful? Attached version has this if you want to try it out.

Does that idea also help with your multi-language content question? I don't think I am totally following what you need there.

PageProtector.zip

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Sebi
      I've created a small module which lets you define a timestamp after which a page should be accessible. In addition you can define a timestamp when the release should end and the page should not be accessable any more.
      Github: https://github.com/Sebiworld/PageAccessReleasetime
      Usage
      PageAccessReleasetime can be installed like every other module in ProcessWire. Check the following guide for detailed information: How-To Install or Uninstall Modules
      After that, you will find checkboxes for activating the releasetime-fields at the settings-tab of each page. You don't need to add the fields to your templates manually.
      Check e.g. the checkbox "Activate Releasetime from?" and fill in a date in the future. The page will not be accessable for your users until the given date is reached.
      If you have $config->pagefileSecure = true, the module will protect files of unreleased pages as well.
      How it works
      This module hooks into Page::viewable to prevent users to access unreleased pages:
      public function hookPageViewable($event) { $page = $event->object; $viewable = $event->return; if($viewable){ // If the page would be viewable, additionally check Releasetime and User-Permission $viewable = $this->canUserSee($page); } $event->return = $viewable; } To prevent access to the files of unreleased pages, we hook into Page::isPublic and ProcessPageView::sendFile.
      public function hookPageIsPublic($e) { $page = $e->object; if($e->return && $this->isReleaseTimeSet($page)) { $e->return = false; } } The site/assets/files/ directory of pages, which isPublic() returns false, will get a '-' as prefix. This indicates ProcessWire (with activated $config->pagefileSecure) to check the file's permissions via PHP before delivering it to the client.
      The check wether a not-public file should be accessable happens in ProcessPageView::sendFile. We throw an 404 Exception if the current user must not see the file.
      public function hookProcessPageViewSendFile($e) { $page = $e->arguments[0]; if(!$this->canUserSee($page)) { throw new Wire404Exception('File not found'); } } Additionally we hook into ProcessPageEdit::buildForm to add the PageAccessReleasetime fields to each page and move them to the settings tab.
      Limitations
      In the current version, releasetime-protected pages will appear in wire('pages')->find() queries. If you want to display a list of pages, where pages could be releasetime-protected, you should double-check with $page->viewable() wether the page can be accessed. $page->viewable() returns false, if the page is not released yet.
      If you have an idea how unreleased pages can be filtered out of ProcessWire selector queries, feel free to write an issue, comment or make a pull request!
    • By David Karich
      Thanks to the great Pro module "RepeaterMatrix" I have the possibility to create complex repeater items. With it I have created a quite powerful page builder. Many different content modules, with many more possible design options. The RepeaterMatrix module supports the cloning of items, but only within the same page. Now I often have the case that very design-intensive pages and items are created. If you want to use this module on a different page (e.g. in the same design), you have to rebuild each item manually every time.
      With this proof of concept I have created a module which adds the feature to copy a repeater item to the clipboard so that you can paste this item to another page with the same repeater field. The module has been developed very rudimentarily so far. It is currently not possible to copy nested items. There is also no check of Min/Max. You can also only copy items that have the same field on different pages. And surely you can solve all this more elegantly with AJAX. But personally I lack the deeper understanding of the repeaters. Also missing on the Javascript side are event triggers for the repeaters, which would make it easier. Like e.g. RepeaterItemInitReady or similar.
      it would be great if @ryan would implement this functionality in the core of RepeaterMatrix. I think he has better ways to implement this. Or what do you think, Ryan?
      Everybody is welcome to work on this module and improve it, if it should not be integrated into the matrix core. Therefore I put it for testing and as download on GitHub: https://github.com/FlipZoomMedia/InputfieldRepeaterMatrixDublicate
      You can best see the functionality in the screencast: 
       
    • By anderson
      Hi,
      Please take a look at this:
      https://templatemag.com/demo/Good/
      The upper nav bar, including dropdowns like "pages" and "portfolios", what do you call this whole thing? At first I guess it's called "dropdown nav bar", but seems not.
      AND of course, what's the simplest way/module to achieve this in PW?
      Thanks in advance.
    • By Sebi2020
      Hey, I'm new and I created a simple module for tagging pages because I didn't found a module for it (sadly this is not a core feature). This module is licensed under the GPL3 and cames with absolutly no warranty at all. You should test the module before using it in production environments. Currently it's an alpha release. if you like the module or have ideas for improvements feel free to post a comment. Currently this fieldtype is only compatible with the Inputfield I've created to because I haven't found  an Inputfield yet, that returns arrays from a single html input.
      Greetings Sebi2020
      FieldtypeTags.zip.asc
      InputfieldTagify.zip
      InputfieldTagify.zip.asc
      FieldtypeTags.zip
    • By psy
      Background
      I'm creating a module to integrate https://pushalert.co/ into ProcessWire. You actually don't even need a module. You could just use the "Other Websites" javascript provided by PushAlert for basic functionality, ie send a broadcast notification to all subscribers. This is essentially what all the other integrations, including WordPress, do. The WP integration installs a widget with a form enabling the admin to enter details such as title, message, etc from a blog post. It does not:
      collect any statistics within the CMS about the notification enable audience fine tuning to eg a particular subscriber or subscriber segment within WP. The admin needs to use the PA dashboard for that functionality PushAlert has a javascript and REST API. It's intended that this module will use both. https://pushalert.co/documentation 
      What my module does so far:
      associate a subscription with a user. FE user clicks a button on the website front end to subscribe and/or agrees to the browser popup to accept notifications from this site send broadcast push alerts from a page within admin It doesn't have a 'widget' but easy enough to create a fieldsetpage with the relevant fields and add that fs page to any appropriate templates, then with a hook, send the notification. Need to be careful that once published/sent, the notification is not automatically re-sent on subsequent page edits.
      Looking for help/collaboration on how best:
      to send a notification, eg from a blog post, then track the statistics. Dilemma is that the push notification must come from the admin page. Responses go to the sending page which, as it's an admin page, is restricted and will not accept the https response. This is where the other CMS integrations stop. The only json response from PushAlert is the status, eg 'success', and the notification id. There is no opportunity at this point to capture the sending page id. handle, 'once sent on page publish', do not automatically resend on future page edits Am thinking along the lines that FS Page will have a @kongondo runtime markup field https://modules.processwire.com/modules/fieldtype-runtime-markup/ to pull the stats from PushAlert. Every time an admin visits the page, the stats will update.
      Once an admin checks the 'Send notification on page publish' checkbox, a hook creates new front end page that records the 'sender page', sends the notification request to PA, which then uses that newly created frontend page, as the response endpoint. Another rook re-associates the front end page with the admin page (eg blog post), to update the stats.
      Potential use cases:
      Notify individual and/or users with a particular role of an event, eg "New work opportunity" for job seekers; new blog post published; entries now open, etc...
      Looking for help/ideas/collaboration on this module. Please let me know if you're interested and as I do, believe this would be a great addition to ProcessWire