I am developing a simple website for a community organization where we want to have, among other content, a wiki that is only visible to registered users who are logged-in.
Using some of the many excellent resources online, I put together a php-and-database based authentication system that handles user registration and session-based authentication. I can successfully call a php function that gives me a visitor's logged-in status.
But now, I am a little stuck on how I actually use this logged-in status to protect entire parts of my website, i.e., complex content in subfolders such as my wiki installation that is in /wiki. I have tried implementing an example where I can protect individual files by using RewriteCond and RewriteRule in .htaccess and then a method that uses header() and fpassthru(), such as the example here.
But this method doesn't seem to work when I want to protect an entire folder that itself contains php, such as the contents of my /wiki folder (a mediawiki installation).
(Note I don't particularly want to just use mediawiki's access control, because I want to have other content behind the login page beside the wiki.)
Further research brought me to the concept of "middleware" to control access to whole subdirectories, but have to admit I am a little out of my depth and haven't found a simple example yet of how I might implement this (maybe I am not searching for the right keywords).
I would be grateful if anyone could point me towards a resource and/or example for protecting subfolders on a website.
Related
So, I have a website where I am allow users to aggregate certain settings into readable html pages that can be emailed or copied in html to be shared elsewhere.
What I would like to do now is use REST API in order to allow users to post this content directly to their WordPress blogs (independently hosted or on wordpress.com). From my research, REST API is the best way to go about doing this. However, I cannot seem to find any reliable resources on how this is to be exactly implemented or achieved (or if it is 100% entirely possible).
I'm hoping there are one or two people who have had experience with this sort of thing and who can provide me with some guidance!
There is no standard REST interface to WordPress. However, WordPress does have an XMLRPC interface to post, edit, and otherwise manage content. Information on this interface is available in the WordPress Codex at:
https://codex.wordpress.org/XML-RPC_WordPress_API
We have a site where we are intending to sell access to video tutorials. I have set up Joomla ACL to limit access to those pages only to those users who have been given the relevant access permissions and access is being sold through shopping cart called MijoShop.
This setup is working okay at the moment, but there is bit of an issue with user experience. At the moment it seems I can only stop people from viewing a page, but I can't see an easy way to show them alternative content with Joomla ACL. Ideally, if a logged-in user does not have access to a certain video tutorial page, when they click on the link to the page they will instead see a page giving them an opportunity to buy access to the tutorial. This means that I need a method for showing different content on the same page depending on which Joomla user groups a user is assigned to. Is this possible with vanilla Joomla ACL, or am I going to have to find a content management extension that can add the ability to do this?
You should be able to do that with the Vanilla ACL. IIRC you can setup various groups with access to different tutorials/pages/things - then you can make a member a part of multiple groups - thus giving them access to those things as needed.
If unable to do something like that - then I think George Wilsons comment would suffice for a while and you could implement some if/then/else type statements into the code of the article which would work.
Your best bet however is to try the ACL solution first and foremost as that allows you to keep things generally more easy to manage from a backend perspective.
I have an old .net application which also contains a vbuletin forum in php.
I have created a custom handler to protect access to some files (*.doc etc) for non-autheticated users in .net app. The main problem is that now, all vbulletin users can no longer access these files.
Is there any setting I can do in order to make those files accessible for these php users? Because, all the requests are going trough my custom handler...
There are a few options that you can go with here.
If you can set a cookie for the users, regardless of PHP or .NET, then you could modify your handler to serve content based on the existence of the cookie, or similar. (You could use encrypted user value or other item if you need more than just a "yes/no"
You could move the two applications into two different silos/virtual directories. Public docs in one location for PHPBB and another for the .NET application
You could modify your handler to only handle certain folders/sub-folder within the structure which might allow you to get around.
For this specic case I've done a custom solution:
I've checked in the handler if the request comes from a php url and if this url contains my host, so I know it comes from the forum hosted on our site.
For my Social Networking Site, I would like to build a facebook, or twitter similar URL rewriting naming convention.
Using Twitter as an example, they have pages labeled twitter.com/about and another page labeled twitter.com/{$username}
However, how do you differentiate between say a user who has registers on to our site as "about" then. From this we are going to have a server conflict between the user "about" and the page about.
What is the best way to handle this?
Usually, you'll see this implemented so that conflicts are not possible. For instance, you could camp all users inside a virtual /users directory, or a subdomain: mysite.com/users/msilvis, or users.mysite.com/msilvis.
I would not recommend that you make all users accessible via the root directory of your site, because this could potentially restrain you from adding pages. For instance, suppose you do not have yet an "about" page, but a user registers and calls itself "about"; you're screwed.
If you still choose to do so, before registration, try an HTTP request to your website to the page the user would have. If you don't get a 404, then something already has that name.
What our final decision came down to, was upon requesting a page on our server mysite.com/user, it first checked to see if that was a page, if it IS NOT a page, it assumes that it is a user, in which case it checks to see if that user is an object, if it is not then it gets passed to our 404 page.
So ontop of this, we are going to use the HTTP request like you mentioned earlier, and then if some how user "about" still signs up which we now have a page for, essentially sucks to be him because he is not going to see his page.
I would restrict the ability for someone to create a username that would conflict with existing urls.
If you're still in the early stages of development, you could look at the Kohana PHP framework. It's routing features solve the problem highlighted by zneak and dd, you would simply define in your routes that http://yoursite.com/about would point to a particular controller/action, i presume you're using the MVC design pattern considering you want a twitter like url structure.
Hope that helps!
EDIT: I forgot to mention that this doesn't stop people from signing up as about, it would just prevent the rest of the world from being linked to that persons page, in order to prevent them you'd need to employ some kind of validation against your core pages aka about, contact ect.
I've read a bunch of different things, none of which seem to be my situation. I have a site which uses a phpbb forum, and we also have multiple wordpress blogs which can use the database of phpbb via a plugin named wp-phpbb (can't post another hyperlink, but its at simplicitypoint dot com) . It works great for something that is on the same domain, like http://www.domaina.com/blog can access a blog at /forum on the same domain . Recently ( we are building a blog community) a new blog joined us that had his own domain name. I can get the plugin to install, and see the forum ucp.php and config.php as they are in teh same virtual directory, but phpbb will not redirect the login back to the server. If anyone can help me I would be SO grateful.
I have a basic understanding of programming and am very good with computers (I Work in IT) so hopefully I can help any follow up questions you may have. I also have a completely seperate testing area to try things out in first.
Thanks in advance!
Usually you can only do those things across one domain. The problem is probably the cookie for remembering the login is trying to be send across two domains, which the browser won't allow (following the cookie RFC). If that's not the problem, I would try a different wordpress plugin like http://wordpress.org/extend/plugins/phpbbauth/