adrian

Page Protector

Recommended Posts

16 minutes ago, adrian said:

If everyone has the same login username, then absolutely - that is what the session login throttle is designed to do. I think your quickest solution will be to disable the SessionLoginThrottle module.

Just wanted to get that option to you quickly - I'll post some better solutions in a minute.

I just testet it and now it seems to work fine!
Thanks for your support! 
I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

Share this post


Link to post
Share on other sites
1 minute ago, jploch said:

I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

No, you shouldn't leave it deactivated - it is designed to reduce dictionary login attacks.

I have just messaged Ryan to see if I can find out more about the behavior of the module also recording successful logins. If that can't be changed, then you may need to set up your own access control if you want to give all users just one login account. Stay tuned - I don't want to send you down the path of setting up something else until I hear from Ryan about the behavior of this module.

  • Like 2

Share this post


Link to post
Share on other sites

Around line 672 when checking template files you could add the $config->templateExtension too, eg.

if (!$item->isDir() && in_array(pathinfo($item, PATHINFO_EXTENSION), array(wire('config')->templateExtension, 'php', 'inc'))) {

This allows selecting twig/latte/etc files from the module settings.

However I'm still trying to figure out why $loginForm is not available for me (using Latte). Surely it's something in my code, but any chance to add $loginform to page, etc. $this->wire('page')->loginForm = $loginForm (before line 291)? This would allow using the form anywhere in the selected template. I'm using this now and it's working fine.

 

pplf1.png

  • Like 1

Share this post


Link to post
Share on other sites

@adrian

How about adding "required" html5 attributes to username/pass input fields? Plus updated the above screenshot to a non-stock login form :)

  • Like 3

Share this post


Link to post
Share on other sites

Hi @tpr - I have made all those requested changes and also several other updates to the module. Please let me know if you find any problems.

 

  • Like 2

Share this post


Link to post
Share on other sites

Great, thanks! Everything's working fine at first look.

$p->loginForm = $loginForm; // added to allow support for latte

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level). I've added session redirects to solve it temporarily but I'm curious if this happens for others too.

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

Share this post


Link to post
Share on other sites
2 minutes ago, tpr said:

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Sure, it's just a little weird though as $loginForm should work everywhere in regular templates - at least it has in my testing.

 

3 minutes ago, tpr said:

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level).

No problem here - would you mind doing a little testing in the isProtected() function to see where it might be failing. Is $pagesToCheck including the parent which is protected? Is $this->matchedParent being populated with this page? etc

 

9 minutes ago, tpr said:

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

This module is designed to protect access to pages - I am not sure that it should actually prevent pages from being found. I am happy to revisit though if you think otherwise - it should be easy enough to do.

  • Like 1

Share this post


Link to post
Share on other sites

Ok, I'll check what could cause child pages being accessible, probably a few days later.

If it's not too complicated I would welcome an option to exclude protected pages from being found. If I lock a room for a reason I don't want anyone to sneak in through the window :)

  • Like 2

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

If I lock a room for a reason I don't want anyone to slip in through the window

Yeah, but they won't be able to get in the window, they'll just be able to see the curtains :) 

I would think you'd still want your users to be able to search for the members area - no?

Share this post


Link to post
Share on other sites

Sure, they could only have a peek :)

In this particular project it's not relevant if users could find the Members Area or not, but in general yes, it should be findable.

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

but in general yes, it should be findable

So doesn't that mean that you agree that there isn't a need to prevent search from finding protected pages?

I guess perhaps it all depends on what you are returning on your search page - if you are providing a preview of some of the content, then I guess this becomes an issue. I guess I'll make it configurable.

BTW - thanks for looking into the child pages issue - I can't imagine why it's not working at your end.

Share this post


Link to post
Share on other sites

Yes, it depends. Perhaps only its title should be findable though I guess this adds another level of complexity. Does the module add a page property eg isProtected to let devs handle this? Sorry I can't look into the code atm.

What's more important imo is to exclude child pages from search, if they are also protected. Perhaps the abovementioned isProtected property could help here too.

  • Like 2

Share this post


Link to post
Share on other sites

@tpr - I am attaching a new version of the module which rejigs things a bit. It now lets you do:

if($page->protected()) {

It returns false or the id of the page that is protecting the checked page, which could be itself, or the closest protected parent.

This should let you handle your search results however you want. 

I thought about automatically removing protected pages from results, but I think there are just too many contingencies to do it this way - I think it makes more sense to let the dev handle it via protected()

Please let me know how this goes and also if it by chance fixes your issue with child pages not being protected.

 

PageProtector.zip

  • Like 3

Share this post


Link to post
Share on other sites

Thanks!

Search results

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query, where search results are populated. This leads to improper number of results if I exclude pages when outputting the results list, or if I filter them in memory beforehands then pagination will broke. This is no surprise because $page->protected is not a page field so I cannot use "protected=''" in the selector. I've tried using addHookProperty but $pages->find() doesn't respect that ($page->protected worked fine though).

Anyway, I can live with it - but please correct me if I'm missing something.

Child pages

In case of child page protection I found that if I set no template in the module settings, then the protected child page loads with the loginForm, which is the expected behaviour. This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect:

if ($page->id !== $memberLoginPage->id && $page->protected() && !($user->isSuperUser() || $user->hasRole('member'))) {
    $session->redirect($memberLoginPage->url);
    $this->halt();
}

Would it be possible to have an option under "Protect child pages" like "Redirect to protected parent on direct access"?

  • Like 3

Share this post


Link to post
Share on other sites

Hey @tpr - thanks for the report.

I'll take a look at the issue with protected() and trying to make the property available in find() selectors - not sure if this is possible or not.

Regarding the child issue - it is working here if use the default login form and also if I choose a login template - that is both options seem to be working fine. Perhaps it's a Latte issue when using wireRenderFile like I am around line 304 ?

1 hour ago, tpr said:

This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect

I don't really understand this - users should see the same login form no matter what page they try to visit (because it renders the template you have chosen) - I don't see any reason to redirect - again, maybe a latte issue? Any chance you could try the module without latte just to see if everything works as expected? Maybe I am still not understanding though?

  • Like 1

Share this post


Link to post
Share on other sites

@tpr - just had a quick play with a protected property and selectors. Runtime properties only work with in memory page arrays, so you would have to do:

$allResults = $pages->find("template=basic-page");
$notProtectedResults = $allResults->find("protected=0");

I think you already figured this out :)

Anyway, that example works with the attached version.

What are your thoughts on the best approach here? 

 

 

PageProtector.zip

  • Like 2

Share this post


Link to post
Share on other sites
5 hours ago, tpr said:

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Share this post


Link to post
Share on other sites
2 minutes ago, Robin S said:

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Yeah,  I was hoping to avoid that - I never like polluting all templates with settings type fields if I can avoid it, but maybe in this case it is the only option. I guess if it's set to hidden and system so it can't be manually deleted (but deletion is taken care of during module uninstall), and its checked status would be toggled when checking the "Protect this page" checkbox on the Settings tab, then it wouldn't be too invasive. The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Share this post


Link to post
Share on other sites
4 minutes ago, adrian said:

Yeah,  I was hoping to avoid that

Sorry, I wasn't proposing that as a module feature - just a suggestion for @tpr to consider. I think it's something that most users don't need so I agree it shouldn't be implemented by the module.

7 minutes ago, adrian said:

The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Rather than do that I was thinking a person would use has_parent in their $pages->find() selector.

$page_protects_children = implode('|', $pages->findIDs("protect_children=1"));
$results = $pages->find("has_parent!=$page_protects_children"); // actual selector would have more conditions

 

  • Like 1

Share this post


Link to post
Share on other sites

Adding a field manually should work, thanks. As I wrote, memory selectors would make pagination to fail, but with the extra field it will be OK. I only need to add it to the protected parent and use has_parent.

I'll check the child issue without latte too.

I need the redirect because if one tries to access a child page by knowing its url, I would like redirect him to the protected parent. This page has different template with the login form.

  • Like 1

Share this post


Link to post
Share on other sites

Child page protection is kinda working OK but there's an issue if you select a login template and use fields that are also available on the child pages, eg. $page->body, which is quite common. Sensitive data may be rendered (eg. with $page->body), because the actual (child) page fields are passed to the login template file.

One needs to check $page->loginForm (or $loginform, $page->protected/protected()) and display the form or other page content. In such cases a redirect to protected parent (the login page) would be safer.

Btw you uploaded the "ProtectedMode" module here, is that intentional?

ppcp.gif

ppcpt.png

Share this post


Link to post
Share on other sites
12 minutes ago, tpr said:

OK but there's an issue if you select a login template and use fields that are also available on the child pages

That's not the intention of this approach - the login template you select should be a dedicated template file (it shouldn't really even have a PW template associated with it). The only thing it should echo is the head, footer, etc and $loginForm - that is it! I believe if you follow that approach everything should work as expected and be secure with no need to redirect. Sorry if that's not clear.

 

12 minutes ago, tpr said:

Btw you uploaded the "ProtectedMode" module here, is that intentional?

Sorry about that - silly mistake - I have now replaced it with the PageProtector version I was referencing.

 

 

Share this post


Link to post
Share on other sites

Thanks, that wasn't clear to me reading the module description/notes fields. Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page. Maybe it's only me but perhaps a warning text could be added to the description field to not to place other dynamic content to this template file?

Btw, if I would like to add multi-language content before the $loginForm do I need to use $myLoginPage->body or is there another way? (this was the purpose of using $page->body in my login template, having a dynamic text coming from the admin).

Share this post


Link to post
Share on other sites
16 hours ago, tpr said:

Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page.

Perhaps I should add another variable ($ppid - protected page id) to the array that is passed to wireRenderFile. This would be the id of the page that is protected, whether that is the current page, or the parent which is protecting it. That way you could do a $pages->get($ppid)->body to get the appropriate text. Would that be useful? Attached version has this if you want to try it out.

Does that idea also help with your multi-language content question? I don't think I am totally following what you need there.

PageProtector.zip

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By daniels
      This is a lightweight alternative to other newsletter & newsletter-subscription modules.
      You can find the Module in the Modules directory and on Github
      It can subscribe, update, unsubscribe & delete a user in a list in Mailchimp with MailChimp API 3.0. It does not provide any forms or validation, so you can feel free to use your own. To protect your users, it does not save any user data in logs or sends them to an admin.
      This module fits your needs if you...
      ...use Mailchimp as your newsletter / email-automation tool ...want to let users subscribe to your newsletter on your website ...want to use your own form, validation and messages (with or without the wire forms) ...don't want any personal user data saved in any way in your ProcessWire environment (cf. EU data regulation terms) ...like to subscribe, update, unsubscribe or delete users to/from different lists ...like the Mailchimp UI for creating / sending / reviewing email campaigns *I have only tested it with PHP 7.x so far, so use on owners risk
      EDIT:
      I've updated the module to 0.0.3. I removed the instructions from this forum, so I don't have to maintain it on multiple places. Just checkout the readme on github 🙂
      If you have questions or like to contribute, just post a reply or create an issue or pr on github. 
    • By blynx
      Hej,
      A module which helps including Photoswipe and brings some modules for rendering gallery markup. Feedback highly appreciated
      (Also pull requests are appreciated 😉 - have a new Job now and don't work a lot with ProcessWire anymore, yet, feel free to contact me here or on GitHub, Im'm still "online"!)

      Modules directory: http://modules.processwire.com/modules/markup-processwire-photoswipe
      .zip download: https://github.com/blynx/MarkupProcesswirePhotoswipe/archive/master.zip
      You can add a photoswipe enabled thumbnail gallery / lightbox to your site like this. Just pass an image field to the renderGallery method:
      <?php $pwpswp = $modules->get('Pwpswp'); echo $pwpswp->renderGallery($page->nicePictures); Options are provided like so:
      <?php $galleryOptions = [ 'imageResizerOptions' => [ 'size' => '500x500' 'quality' => 70, 'upscaling' => false, 'cropping' => false ], 'loresResizerOptions' => [ 'size' => '500x500' 'quality' => 20, 'upscaling' => false, 'cropping' => false ], 'pswpOptions' => (object) [ 'shareEl' => false, 'indexIndicatorSep' => ' von ', 'closeOnScroll' => false ] ]; echo $pswp->renderGallery($page->images, $galleryOptions); More info about all that is in the readme: https://github.com/blynx/MarkupProcesswirePhotoswipe
      What do you think? Any ideas, bugs, critique, requests?
      cheers
      Steffen
    • By bernhard
      WHY?
      This module was built to fill the gap between simple $pages->find() operations and complex SQL queries.
      The problem with $pages->find() is that it loads all pages into memory and that can be a problem when querying multiple thousands of pages. Even $pages->findMany() loads all pages into memory and therefore is a lot slower than regular SQL.
      The problem with SQL on the other hand is, that the queries are quite complex to build. All fields are separate tables, some repeatable fields use multiple rows for their content that belong to only one single page, you always need to check for the page status (which is not necessary on regular find() operations and therefore nobody is used to that).
      In short: It is far too much work to efficiently and easily get an array of data based on PW pages and fields and I need that a lot for my RockGrid module to build all kinds of tabular data.

      Basic Usage

       
      Docs & Download
      https://gitlab.com/baumrock/RockFinder/tree/master
       
      Changelog
      180516 change sql query method, bump version to 1.0.0 180515 multilang bugfix 180513 beta release <180513 preview/discussion took place here: https://processwire.com/talk/topic/18983-rocksqlfinder-highly-efficient-and-flexible-sql-finder-module/
    • By flydev
      OAuth2Login for ProcessWire
      A Module which give you ability to login an existing user using your favorite thrid-party OAuth2 provider (i.e. Facebook, GitHub, Google, LinkedIn, etc.)..
      You can login from the backend to the backend directly or render a form on the frontend and redirect the user to a choosen page.
      Built on top of ThePhpLeague OAuth2-Client lib.
      Registration is not handled by this module but planned.
       
      Howto Install
      Install the module following this procedure:
       - http://modules.processwire.com/modules/oauth2-login/
       - https://github.com/flydev-fr/OAuth2Login
      Next step, in order to use a provider, you need to use Composer to install each provider
      ie: to install Google, open a terminal, go to your root directory of pw and type the following command-line: composer require league/oauth2-google
      Tested providers/packages :
          Google :  league/oauth2-google     Facebook: league/oauth2-facebook     Github: league/oauth2-github     LinkedIn: league/oauth2-linkedin
      More third-party providers are available there. You should be able to add a provider by simply adding it to the JSON config file.

      Howto Use It
      First (and for testing purpose), you should create a new user in ProcessWire that reflect your real OAuth2 account information. The important informations are, Last Name, First Name and Email. The module will compare existing users by firstname, lastname and email; If the user match the informations, then he is logged in.
      ie, if my Google fullname is John Wick, then in ProcessWire, I create a new user  Wick-John  with email  johnwick@mydomain.com
      Next step, go to your favorite provider and create an app in order to get the ClientId and ClientSecret keys. Ask on the forum if you have difficulties getting there.
      Once you got the keys for a provider, just paste it into the module settings and save it. One or more button should appear bellow the standard login form.
      The final step is to make your JSON configuration file.
      In this sample, the JSON config include all tested providers, you can of course edit it to suit your needs :
      { "providers": { "google": { "className": "Google", "packageName": "league/oauth2-google", "helpUrl": "https://console.developers.google.com/apis/credentials" }, "facebook": { "className": "Facebook", "packageName": "league/oauth2-facebook", "helpUrl": "https://developers.facebook.com/apps/", "options": { "graphApiVersion": "v2.10", "scope": "email" } }, "github": { "className": "Github", "packageName": "league/oauth2-github", "helpUrl": "https://github.com/settings/developers", "options": { "scope": "user:email" } }, "linkedin": { "className": "LinkedIn", "packageName": "league/oauth2-linkedin", "helpUrl": "https://www.linkedin.com/secure/developer" } } }  
      Backend Usage
      In ready.php, call the module :
      if($page->template == 'admin') { $oauth2mod = $modules->get('Oauth2Login'); if($oauth2mod) $oauth2mod->hookBackend(); }  
      Frontend Usage
      Small note: At this moment the render method is pretty simple. It output a InputfieldForm with InputfieldSubmit(s) into wrapped in a ul:li tag. Feedbacks and ideas welcome!
      For the following example, I created a page login and a template login which contain the following code :
      <?php namespace ProcessWire; if(!$user->isLoggedin()) { $options = array( 'buttonClass' => 'my_button_class', 'buttonValue' => 'Login with {provider}', // {{provider}} keyword 'prependMarkup' => '<div class="wrapper">', 'appendMarkup' => '</div>' ); $redirectUri = str_lreplace('//', '/', $config->urls->httpRoot . $page->url); $content = $modules->get('Oauth2Login')->config( array( 'redirect_uri' => $redirectUri, 'success_uri' => $page->url ) )->render($options); }
      The custom function lstr_replace() :
      /* * replace the last occurence of $search by $replace in $subject */ function str_lreplace($search, $replace, $subject) { return preg_replace('~(.*)' . preg_quote($search, '~') . '~', '$1' . $replace, $subject, 1); }  
      Screenshot
       



    • By gRegor
      Updated 2018-05-06:
      Version 2.0.0 released
      Updated 2017-03-27:
      Version 1.1.3 released
      Updated 2016-04-11:
      Version 1.1.2 released

      Updated 2016-02-26:
      Officially in the module directory! http://modules.processwire.com/modules/webmention/

      Updated 2016-02-25:
      Version 1.1.0 is now released. It's been submitted to the module directory so should appear there soon. In the meantime, it's available on GitHub: https://github.com/gRegorLove/ProcessWire-Webmention. Please refer to the updated README there and let me know if you have any questions!
      ------------
      Original post:
       
      This is now out of date. I recommend reading the official README.
       
      I've been working on this one for a while. It's not 100%, but it is to the point I'm using it on my own site, so it's time for me to release it in beta. Once I finish up some of the features described below, I will submit it to the modules directory as a stable plugin.
      For now, you can install from Github. It works on PW2.5. I haven't tested on PW2.6, but it should work there.
      Feedback and questions are welcome. I'm in the IRC channel #processwire as well as #indiewebcamp if you have any questions about this module, webmention, or microformats.
      Thanks to Ryan for the Comments Fieldtype which helped me a lot in the handling of webmentions in the admin area.
      ProcessWire Webmention Module
      Webmention is a simple way to automatically notify any URL when you link to it on your site. From the receiver's perspective, it is a way to request notification when other sites link to it.
      Version 1.0.0 is a stable beta that covers webmention sending, receiving, parsing, and display. An easy admin interface for received webmentions is under development, as well as support for the Webmention Vouch extension.
      Features
      * Webmention endpoint discovery
      * Automatically send webmentions asynchronously * Automatically receive webmentions * Process webmentions to extract microformats   Requirements * php-mf2 and php-mf2-cleaner libraries; bundled with this package and may optionally be updated using Composer. * This module hooks into the LazyCron module.   Installation Github: https://github.com/gRegorLove/ProcessWire-Webmention

      Installing the core module named "Webmention" will automatically install the Fieldtype and Inputfield modules included in this package.   This module will attempt to add a template and page named "Webmention Endpoint" if the template does not exist already. The default location of this endpoint is http://example.com/webmention-endpoint   After installing the module, create a new field of type "Webmentions" and add it to the template(s) you want to be able to support webmentions. Sending Webmentions
      When creating or editing a page that has the Webmentions field, a checkbox "Send Webmentions" will appear at the bottom. Check this box and any URLs linked in the page body will be queued up for sending webmentions. Note: you should only check the "Send Webmentions" box if the page status is "published."   Receiving Webmentions This module enables receiving webmentions on any pages that have have "Webmentions" field, by adding the webmention endpoint as an HTTP Link header. If you would like to specify a custom webmention endpoint URL, you can do so in the admin area, Modules > Webmention.   Processing Webmentions (beta) Currently no webmentions are automatically processed. You will need to browse to the page in the backend, click "Edit," and scroll to the Webmentions field. There is a dropdown for "Visibility" and "Action" beside each webmention. Select "Process" to parse the webmention for microformats.   A better interface for viewing/processing all received webmentions in one place is under development.   Displaying Webmentions (beta) Within your template file, you can use `$page->Webmentions->render()` [where "Webmentions" is the name you used creating the field] to display a list of approved webmentions. As with the Comments Fieldtype, you can also generate your own output.   The display functionality is also under development.   Logs This module writes two logs: webmentions-sent and webmentions-received.   Vouch The Vouch anti-spam extension is still under development.   IndieWeb The IndieWeb movement is about owning your data. It encourages you to create and publish on your own site and optionally syndicate to third-party sites. Webmention is one of the core building blocks of this movement.   Learn more and get involved by visiting http://indiewebcamp.com.   Further Reading * http://indiewebcamp.com/webmention * http://indiewebcamp.com/comments-presentation * http://indiewebcamp.com/reply