Jump to content
adrian

Page Protector

Recommended Posts

16 minutes ago, adrian said:

If everyone has the same login username, then absolutely - that is what the session login throttle is designed to do. I think your quickest solution will be to disable the SessionLoginThrottle module.

Just wanted to get that option to you quickly - I'll post some better solutions in a minute.

I just testet it and now it seems to work fine!
Thanks for your support! 
I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

Share this post


Link to post
Share on other sites
1 minute ago, jploch said:

I have deactivated the SessionLoginThrottle module. Is this bad for security reasons or is it save to leave it deactivated?

No, you shouldn't leave it deactivated - it is designed to reduce dictionary login attacks.

I have just messaged Ryan to see if I can find out more about the behavior of the module also recording successful logins. If that can't be changed, then you may need to set up your own access control if you want to give all users just one login account. Stay tuned - I don't want to send you down the path of setting up something else until I hear from Ryan about the behavior of this module.

  • Like 2

Share this post


Link to post
Share on other sites

Around line 672 when checking template files you could add the $config->templateExtension too, eg.

if (!$item->isDir() && in_array(pathinfo($item, PATHINFO_EXTENSION), array(wire('config')->templateExtension, 'php', 'inc'))) {

This allows selecting twig/latte/etc files from the module settings.

However I'm still trying to figure out why $loginForm is not available for me (using Latte). Surely it's something in my code, but any chance to add $loginform to page, etc. $this->wire('page')->loginForm = $loginForm (before line 291)? This would allow using the form anywhere in the selected template. I'm using this now and it's working fine.

 

pplf1.png

  • Like 1

Share this post


Link to post
Share on other sites

@adrian

How about adding "required" html5 attributes to username/pass input fields? Plus updated the above screenshot to a non-stock login form :)

  • Like 3

Share this post


Link to post
Share on other sites

Hi @tpr - I have made all those requested changes and also several other updates to the module. Please let me know if you find any problems.

 

  • Like 2

Share this post


Link to post
Share on other sites

Great, thanks! Everything's working fine at first look.

$p->loginForm = $loginForm; // added to allow support for latte

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level). I've added session redirects to solve it temporarily but I'm curious if this happens for others too.

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

Share this post


Link to post
Share on other sites
2 minutes ago, tpr said:

It's not exclusive to Latte as you can use it anywhere in regular PHP templates.

Sure, it's just a little weird though as $loginForm should work everywhere in regular templates - at least it has in my testing.

 

3 minutes ago, tpr said:

Today I noticed an issue with protecting child pages. Links to child pages under a protected page was accessible to everyone, even though I've checked to protect child pages (at Page level).

No problem here - would you mind doing a little testing in the isProtected() function to see where it might be failing. Is $pagesToCheck including the parent which is protected? Is $this->matchedParent being populated with this page? etc

 

9 minutes ago, tpr said:

Also the site search could find content from protected child pages. Is the module taking care of this or should developers handle such cases?

This module is designed to protect access to pages - I am not sure that it should actually prevent pages from being found. I am happy to revisit though if you think otherwise - it should be easy enough to do.

  • Like 1

Share this post


Link to post
Share on other sites

Ok, I'll check what could cause child pages being accessible, probably a few days later.

If it's not too complicated I would welcome an option to exclude protected pages from being found. If I lock a room for a reason I don't want anyone to sneak in through the window :)

  • Like 2

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

If I lock a room for a reason I don't want anyone to slip in through the window

Yeah, but they won't be able to get in the window, they'll just be able to see the curtains :) 

I would think you'd still want your users to be able to search for the members area - no?

Share this post


Link to post
Share on other sites

Sure, they could only have a peek :)

In this particular project it's not relevant if users could find the Members Area or not, but in general yes, it should be findable.

Share this post


Link to post
Share on other sites
1 minute ago, tpr said:

but in general yes, it should be findable

So doesn't that mean that you agree that there isn't a need to prevent search from finding protected pages?

I guess perhaps it all depends on what you are returning on your search page - if you are providing a preview of some of the content, then I guess this becomes an issue. I guess I'll make it configurable.

BTW - thanks for looking into the child pages issue - I can't imagine why it's not working at your end.

Share this post


Link to post
Share on other sites

Yes, it depends. Perhaps only its title should be findable though I guess this adds another level of complexity. Does the module add a page property eg isProtected to let devs handle this? Sorry I can't look into the code atm.

What's more important imo is to exclude child pages from search, if they are also protected. Perhaps the abovementioned isProtected property could help here too.

  • Like 2

Share this post


Link to post
Share on other sites

@tpr - I am attaching a new version of the module which rejigs things a bit. It now lets you do:

if($page->protected()) {

It returns false or the id of the page that is protecting the checked page, which could be itself, or the closest protected parent.

This should let you handle your search results however you want. 

I thought about automatically removing protected pages from results, but I think there are just too many contingencies to do it this way - I think it makes more sense to let the dev handle it via protected()

Please let me know how this goes and also if it by chance fixes your issue with child pages not being protected.

 

PageProtector.zip

  • Like 3

Share this post


Link to post
Share on other sites

Thanks!

Search results

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query, where search results are populated. This leads to improper number of results if I exclude pages when outputting the results list, or if I filter them in memory beforehands then pagination will broke. This is no surprise because $page->protected is not a page field so I cannot use "protected=''" in the selector. I've tried using addHookProperty but $pages->find() doesn't respect that ($page->protected worked fine though).

Anyway, I can live with it - but please correct me if I'm missing something.

Child pages

In case of child page protection I found that if I set no template in the module settings, then the protected child page loads with the loginForm, which is the expected behaviour. This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect:

if ($page->id !== $memberLoginPage->id && $page->protected() && !($user->isSuperUser() || $user->hasRole('member'))) {
    $session->redirect($memberLoginPage->url);
    $this->halt();
}

Would it be possible to have an option under "Protect child pages" like "Redirect to protected parent on direct access"?

  • Like 3

Share this post


Link to post
Share on other sites

Hey @tpr - thanks for the report.

I'll take a look at the issue with protected() and trying to make the property available in find() selectors - not sure if this is possible or not.

Regarding the child issue - it is working here if use the default login form and also if I choose a login template - that is both options seem to be working fine. Perhaps it's a Latte issue when using wireRenderFile like I am around line 304 ?

1 hour ago, tpr said:

This unfortunately doesn't fit my current needs because I would prefer only one login page for members, so that's why I do a redirect

I don't really understand this - users should see the same login form no matter what page they try to visit (because it renders the template you have chosen) - I don't see any reason to redirect - again, maybe a latte issue? Any chance you could try the module without latte just to see if everything works as expected? Maybe I am still not understanding though?

  • Like 1

Share this post


Link to post
Share on other sites

@tpr - just had a quick play with a protected property and selectors. Runtime properties only work with in memory page arrays, so you would have to do:

$allResults = $pages->find("template=basic-page");
$notProtectedResults = $allResults->find("protected=0");

I think you already figured this out :)

Anyway, that example works with the attached version.

What are your thoughts on the best approach here? 

 

 

PageProtector.zip

  • Like 2

Share this post


Link to post
Share on other sites
5 hours ago, tpr said:

I can easily exclude the protected pages now but I guess there's no way I could exclude them in the initial $pages->find() query

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Share this post


Link to post
Share on other sites
2 minutes ago, Robin S said:

I guess you could add a couple of hidden fields to your page templates to store the "Protect children" and "Allowed roles" values using a save hook. Then make use of these fields in your find selector.

Yeah,  I was hoping to avoid that - I never like polluting all templates with settings type fields if I can avoid it, but maybe in this case it is the only option. I guess if it's set to hidden and system so it can't be manually deleted (but deletion is taken care of during module uninstall), and its checked status would be toggled when checking the "Protect this page" checkbox on the Settings tab, then it wouldn't be too invasive. The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Share this post


Link to post
Share on other sites
4 minutes ago, adrian said:

Yeah,  I was hoping to avoid that

Sorry, I wasn't proposing that as a module feature - just a suggestion for @tpr to consider. I think it's something that most users don't need so I agree it shouldn't be implemented by the module.

7 minutes ago, adrian said:

The other catch of course is that protecting a parent that has thousands or more children could result in a very slow page save because it would need to update the status of all those children as well.

Rather than do that I was thinking a person would use has_parent in their $pages->find() selector.

$page_protects_children = implode('|', $pages->findIDs("protect_children=1"));
$results = $pages->find("has_parent!=$page_protects_children"); // actual selector would have more conditions

 

  • Like 1

Share this post


Link to post
Share on other sites

Adding a field manually should work, thanks. As I wrote, memory selectors would make pagination to fail, but with the extra field it will be OK. I only need to add it to the protected parent and use has_parent.

I'll check the child issue without latte too.

I need the redirect because if one tries to access a child page by knowing its url, I would like redirect him to the protected parent. This page has different template with the login form.

  • Like 1

Share this post


Link to post
Share on other sites

Child page protection is kinda working OK but there's an issue if you select a login template and use fields that are also available on the child pages, eg. $page->body, which is quite common. Sensitive data may be rendered (eg. with $page->body), because the actual (child) page fields are passed to the login template file.

One needs to check $page->loginForm (or $loginform, $page->protected/protected()) and display the form or other page content. In such cases a redirect to protected parent (the login page) would be safer.

Btw you uploaded the "ProtectedMode" module here, is that intentional?

ppcp.gif

ppcpt.png

Share this post


Link to post
Share on other sites
12 minutes ago, tpr said:

OK but there's an issue if you select a login template and use fields that are also available on the child pages

That's not the intention of this approach - the login template you select should be a dedicated template file (it shouldn't really even have a PW template associated with it). The only thing it should echo is the head, footer, etc and $loginForm - that is it! I believe if you follow that approach everything should work as expected and be secure with no need to redirect. Sorry if that's not clear.

 

12 minutes ago, tpr said:

Btw you uploaded the "ProtectedMode" module here, is that intentional?

Sorry about that - silly mistake - I have now replaced it with the PageProtector version I was referencing.

 

 

Share this post


Link to post
Share on other sites

Thanks, that wasn't clear to me reading the module description/notes fields. Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page. Maybe it's only me but perhaps a warning text could be added to the description field to not to place other dynamic content to this template file?

Btw, if I would like to add multi-language content before the $loginForm do I need to use $myLoginPage->body or is there another way? (this was the purpose of using $page->body in my login template, having a dynamic text coming from the admin).

Share this post


Link to post
Share on other sites
16 hours ago, tpr said:

Perhaps I was thinking in a "redirect mode" instead of wireRenderFile so I thought all other fields will come from the protected parent and not from the actual child page.

Perhaps I should add another variable ($ppid - protected page id) to the array that is passed to wireRenderFile. This would be the id of the page that is protected, whether that is the current page, or the parent which is protecting it. That way you could do a $pages->get($ppid)->body to get the appropriate text. Would that be useful? Attached version has this if you want to try it out.

Does that idea also help with your multi-language content question? I don't think I am totally following what you need there.

PageProtector.zip

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By gebeer
      Although the PW backend is really intuitive, ever so often my clients need some assistance. Be it they are not so tech savvy or they are not working in the backend often.
      For those cases it is nice to make some help videos available to editors. This is what this module does.
      ProcessHelpVideos Module
      A Process module to display help videos for the ProcessWire CMS. It can be used to make help videos (screencasts) available to content editors.
      This module adds a 'Help Videos" section to the ProcessWire backend. The help videos are accessible through an automatically created page in the Admin page tree. You can add your help videos as pages in the page tree. The module adds a hidden page to the page tree that acts as parent page for the help video pages. All necessary fields and templates will be installed automatically. If there are already a CKEditor field and/or a file field for mp4 files installed in the system, the module will use those. Otherwise it will create the necessary fields. Also the necessary templates for the parent help videos page and it's children are created on module install. The module installs a permission process-helpvideos. Every user role that should have access to the help video section, needs this permission. I use the help video approach on quite a few production sites. It is stable so far and well received by site owners/editors. Up until now I installed required fields, templates and pages manually and then added the module. Now I added all this logic to the install method of the module and it should be ready to share.
      The module and further description on how to use it is available on github: https://github.com/gebeer/ProcessHelpVideos
      If you like to give it a try, I am happy to receive your comments/suggestions here.
    • By Robin S
      A module created in response to the topic here:
      Page List Select Multiple Quickly
      Modifies PageListSelectMultiple to allow you to select multiple pages without the tree closing every time you select a page.
      The screencast says it all:

       
      https://github.com/Toutouwai/PageListSelectMultipleQuickly
      https://modules.processwire.com/modules/page-list-select-multiple-quickly/
    • By gebeer
      Hello all,
      sharing my new module FieldtypeImagePicker. It provides a configurable input field for choosing any type of image from a predefined folder.
      The need for it came up because a client had a custom SVG icon set and I wanted the editors to be able to choose an icon in the page editor.
      It can also be used to offer a choice of images that are used site-wide without having to upload them to individual pages.
      There are no image manipulation methods like with the native PW image field.
      Module and full description can be found on github https://github.com/gebeer/FieldtypeImagePicker
      Kudos to @Martijn Geerts. I used his module FieldTypeSelectFile as a base to build upon.
      Here's how the input field looks like in the page editor:

      Hope it can be of use to someone.
      If you like to give it a try, I'm happy to hear your comments or suggestions for improvement. Eventually this will go in the module directory soon, too.
    • By bernhard
      @Sergio asked about the pdf creation process in the showcase thread about my 360° feedback/survey tool and so I went ahead and set my little pdf helper module to public.
      Description from PW Weekly:
       
      Modules Directory: https://modules.processwire.com/modules/rock-pdf/
      Download & Docs: https://github.com/BernhardBaumrock/RockPDF
       
      You can combine it easily with RockReplacer: 
      See also a little showcase of the RockPdf module in this thread:
       
    • By ukyo
      FieldtypeFontIconPicker
      Supported Icon Libraries
      FontAwesome 4.7.0 Uikit 3.0.34 IonicIcons 2.0.1 Cahangelog
      NOTE: Module store data without prefix, you need to add "prefix" when you want to show your icon on front-end, because some of front-end frameworks using font-awesome with different "prefix".
      Module will search site/modules/**/configs/IconPicker.*.php and site/templates/IconPicker.*.php paths for FieldtypeFontIconPicker config files.
      All config files need to return a PHP ARRAY like examples.
      Example config file : create your own icon set.
      File location is site/configs/IconPicker.example.php
      <?php namespace ProcessWire; /** * IconPicker : Custom Icons */ return [ "name" => "my-custom-icons", "title" => "My Custom Icon Set", "version" => "1.0.0", "styles" => array( wire("config")->urls->templates . "dist/css/my-custom-icons.css" ), "scripts" => array( wire("config")->urls->templates . "dist/js/my-custom-icons.js" ), "categorized" => true, "attributes" => array(), "icons" => array( "brand-icons" => array( "title" => "Brand Icons", "icons" => array( "google", "facebook", "twitter", "instagram" ) ), "flag-icons" => array( "title" => "Flag Icons", "icons" => array( "tr", "gb", "us", "it", "de", "nl", "fr" ) ) ) ]; Example config file : use existing and extend it.
      File location is site/configs/IconPicker.altivebir.php
      <?php namespace ProcessWire; /** * IconPicker : Existing & Extend */ $resource = include wire("config")->paths->siteModules . "FieldtypeFontIconPicker/configs/IconPicker.uikit.php"; $url = wire("config")->urls->templates . "dist"; $resource["scripts"] = array_merge($resource["scripts"], ["{$url}/js/Altivebir.Icon.min.js"]); $resource["icons"]["flag-icons"] = [ "title" => "Flag Icons", "icons" => array("tr", "en", "fr", "us", "it", "de") ]; $resource["icons"]["brand-icons"]["icons"] = array_merge($resource["icons"]["brand-icons"]["icons"], array( "altivebir" )); return $resource; After you add your custom config file, you will see your config file on library select box. Library Title (Location Folder Name).

      If your library categorized and if you have categorized icons set like uikit and fontawesome libraries, you will have category limitation options per icon field or leave it empty for allow all categories (default).

      Example : output
      if ($icon = $page->get("iconField")) { echo "<i class='prefix-{$icon}' />"; } MarkupFontIconPicker Usage
      // MarkupFontIconPicker::render(YourIconField=string, Options=array) echo MarkupFontIconPicker::render($page->YourIconField, [ 'prefix' => 'uk-icon-', // Icon class prefix, if you have different prefix, default is : "fa fa-" 'tag' => 'span', // Icon tag default is : "i" 'class' => 'fa-lg', // If you have extra cutom classes, for example : icons sizes, Array or Sting value 'style' => 'your custom styles if you have' // Array or String Value ]); Theme support

      Search support

      Category support

       
×
×
  • Create New...