Admins/logged-in-users are able to set the current access control when they upload a file. Three types of access are: public, private and logged-in-users:
public: files uploaded can be viewed and accessed by users who are not logged in
private: no one will be able to view the files uploaded except for user and admin
logged-in-users: only logged in users and admins are able to view and access the uploaded file.
Functionality
Files that are uploaded can be viewed and accessed in regards to the access control set by the user.
Hence, when a public user(not logged into account) can view and access the uploaded file which access setting has been set to public, but will not be able to see the files which control access setting has been set to either 'private' or 'logged in user'.
Task
What I would like to do is to change the control access, such that public users (not logged into account), cannot view or access the uploaded file. Hence, even if the user has set the control access setting to public, non-logged in user cannot view and access that uploaded file, therefore, all the public user can see is an empty list.
Therefore, I would like to ask is should I be changing the Elgg framework within the directory /Elgg/views/default/output/access.php to achieve the desired outcome or can I change it within the view of the plugin mod: Elgg/mod/plugin/views/default/object?
Elgg is designed to be plugin-centric, so the proper approach is to create your custom plugin that will override elements you need from core and 3rd party plugins alike. We explain motivation here: http://learn.elgg.org/en/1.12/guides/dont-modify-core.html
What I understand, you wan't to force files to be restricted to logged-in users or more. There is an access level for that already, you just need to enforce it.
We need to change two elements:
file saving displayed edit form to not display unwanted access levels
file saving action to reject unwanted access value
Ad. 1 You could override the view forms/file/uploads and replace call to input/access with custom version that filters unwanted values. It's better than altering input/access view that's used all over the place.
Ad. 2 You can either override whole file/upload action (which is nasty due to copying ton of logic) or just use plugin hook that will do additional control. Here you have the hook that allows you to break action when you detect invalid input value: http://learn.elgg.org/en/1.12/guides/hooks-list.html#action-hooks
As stated by Paweł Sroka, it is highly unadvisable to modify the main Elgg core framework. Hence, the proper approach is to either create a plugin or to modify the existing plugin.
Hence, as mentioned in the question, the main task is to prevent any non-login user from having the access to view and access the listed items. Therefore, what I have done is to implement 'gatekeeper()'
gatekeeper() -> function to allow user to manage how code gets executed by applying access control rules. Furthermore, when applied, it will forward non-login user to front page thus protecting the content of the restricted page from being viewed.
Finally, 'gatekeeper()' is implemented within the following directory prior to my question: elgg/mod/plugin/pages/plugin/all.php
Related
WHMCS has a feature for providing downloads to clients. The feature can be found in their admin area at /admin/supportdownloads.php
Is there any action hook for when files are uploaded via the admin area? The only related hook I can find is for when files are downloaded.
What I want do to is add a hook so any file I upload is added to the list of Associated Downloads for each of my products. With all the hook options they have, I'm surprised I can't find one for this...
While I have not done exactly what you are trying to do, I can tell you that anything you put in the /includes/hooks folder gets executed, regardless of whether it is actually hooked into a specific point. This is incredibly useful for those moments where there aren't any hook points available (or they are documented as being present but not on certain page renders).
So in a php file in the /includes/hooks folder, I start by echoing out the globals variable. WHMCS stores a lot of information in the globals variable that easily permits you to deduce which page you are on. For example, in one of my hooks, I have a function that determines what the file name is that I am on simply by calling up get_filename(); That function checks the request URI and finds the php file being called. If the filename is one I'm looking for (for example 'dologin') I can isolate the code being executed. You continue to isolate based on the page you are looking for (for example, if each request has a certain variable, or requires being logged in you look for those variables).
Once you are sure you have to be on the page in order for the code to fire, then you can write your PHP to grab the form posted data and store it how you like in a secondary table. The only catch is if the form must first be stored into the database, so you need a unique identifier, but that can be gotten around also.
Hope that is of help...
I am working on a project right now which requires a user to register and Sign up on some different domain and view its pages on other domain. to make you understand the scenario
The user will login,register and access his profile on domain1.com while will veiw other pages on domain2.com which will be accessible once logged in through domain1.com. I had build this whole project under same codeigniter project and need to know if I can keep the folder as it is and add rules per page so that some pages are only viewable through domain1.com and other only through domain2.com ?
Any help will be appreciated
I have done the same thing some time back, not sure if this is good approach -
modify index.php to include some globals like - SITENAME based on $_SERVER["SERVER_NAME"].
Have a BaseController and let all other controllers extend from this one.
In BaseController -> index() do the required validation, may be set some globals for models and views.
It is better to separate the views, for this use a wrapper or a common view generator file which will get the view files from specific views folders.
Use the globals specified in
BaseController to fetch domain specific data from Database.
However, the way to go would be to have different setup for all the different domains. That way you have a lot of flexibility in modifying the code later on. Otherwise with the approach discussed above - you might end up with a lot of if-else conditions.
I have a file structure like
example.com/mywordpress/ --contains WordPress
example.com/custompreview.php --preview getter outside wordpress
I am using wp-load.php to load wordpres and using its contents. I am able to recive published posts with no problem, I even know how to make query for previews but when preview get parameters comes to the script outside the wordpress folder (custompreview.php) obviously the wp-load.php calls exit and shows only access error message.
Example is worth thousand words:
example.com/custompreview.php?preview=true&preview_id=64&preview_nonce=1f2477c5d2&post_format=standard
Shows only message "You do not have permission to preview drafts"
What is causing this? What is the wp-load.php checking for? How to fix this? :)
If you are getting this while logged in -
the session cookie may be limited to the /mywordpress folder.
Unless explicitly specified, the cookie will be valid in the subdirectory it was set in (and all children).
I'm not sure whether it is possible to change WP's session cookie behaviour, but it may help to put the PHP file inside /mywordpress.
I have a website that serves two parties, buyer and sellers. So once i have authenicated the type of user i load the respective module. See logic below:
If $loggedinusertype = Buyer;
include(/buyer_module.php);
else
include(/seller_module.php);
Now the way i store these modules is just the way i would store a contact.php file. These modules can be accessed if i go to domain.com/seller_module.php. Now, i want to know how to store these modules in such a way that nobody could access it directly and can only be used in the include component. I have 200 of these modules....
You could store them in an area outside of your normal web directory.
Say your web directory is /home/yoursite/www
You could put your include files in /home/yoursite/some-other-directory and no one would be able to access them from your site directly.
I have two suggestions on how you could do this.
Just store all of the modules outside of the web root so there is no way they can be accessed from the browser.
If the above is not feasible, define a constant in your main application or in the script that includes the individual modules. In the individual modules, check to see if the constant has been defined. If it has not, then you can assume someone is trying to access it in the browser, if it is, then the file was included by your script.
Example of 2:
index.php
<?php
define('SOME_CONSTANT', 1);
// ...
include 'buyer_module.php';
buyer_module.php and all other modules you don't want called directly
<?php
if (!defined('SOME_CONSTANT')) exit;
I always try to make code nicer and more maintainable but I'm not sure if I do it right... For example, I'm doing a social network site, so the page domain.com/profile?id=17 would open profile for user id 17. If the user is the currently logged in one, then the profile will be seen as the owner (with edit options, etc) otherwise the page would show a profile for outsiders (no edit options).
How do I do this nicely? I was thinking that after checking if the user id == the user id in $_SESSION, I include one php file (the one with the edit options), otherwise I include the other one. Is this a solution? Is there a better one?
I do the same thing for headers, I have a file 'header.php' that includes the header of all pages (some php but also a logo, etc), however I'm not sure if this is good since a user can go to his browser and type mydomain.com/header.php and then be displayed a header only.
Your solution is one way to do it .another way to do it would e just check the user_id in session and if it is not set then just display another html . Also you would want to access users as their usernames rather than user id.For example instead of user_id.php=17 to username/luqita.If you are using apache as the web server then you could use it's mod_rewite module to generate pretty urls.