I have a website that serves two parties, buyer and sellers. So once i have authenicated the type of user i load the respective module. See logic below:
If $loggedinusertype = Buyer;
include(/buyer_module.php);
else
include(/seller_module.php);
Now the way i store these modules is just the way i would store a contact.php file. These modules can be accessed if i go to domain.com/seller_module.php. Now, i want to know how to store these modules in such a way that nobody could access it directly and can only be used in the include component. I have 200 of these modules....
You could store them in an area outside of your normal web directory.
Say your web directory is /home/yoursite/www
You could put your include files in /home/yoursite/some-other-directory and no one would be able to access them from your site directly.
I have two suggestions on how you could do this.
Just store all of the modules outside of the web root so there is no way they can be accessed from the browser.
If the above is not feasible, define a constant in your main application or in the script that includes the individual modules. In the individual modules, check to see if the constant has been defined. If it has not, then you can assume someone is trying to access it in the browser, if it is, then the file was included by your script.
Example of 2:
index.php
<?php
define('SOME_CONSTANT', 1);
// ...
include 'buyer_module.php';
buyer_module.php and all other modules you don't want called directly
<?php
if (!defined('SOME_CONSTANT')) exit;
Related
I have a PHP script that dynamically generates a TSV file based on database content (using something similar to https://stackoverflow.com/a/125125/701867). However, I only want this page to be accessible to certain people.
The rest of the website uses WordPress as it's membership system, so ideally I'd like to tie it in with this.
How would I go about making this script only accessible to specific WordPress users?
If you are not loading this through the wordpress system you need to include wp_load.php at the top of the file. Do this using relative include: <?php include '../../../wp-load.php'; ?>.
When you have done this you can use <?php current_user_can( $capability ); ?> to determine if the current user can access the file.
See https://codex.wordpress.org/Function_Reference/current_user_can.
Remember this can pose a security risk to the Wordpress system. All text input must be filtered as the admin functions can now be called when wp_load.php is included.
Admins/logged-in-users are able to set the current access control when they upload a file. Three types of access are: public, private and logged-in-users:
public: files uploaded can be viewed and accessed by users who are not logged in
private: no one will be able to view the files uploaded except for user and admin
logged-in-users: only logged in users and admins are able to view and access the uploaded file.
Functionality
Files that are uploaded can be viewed and accessed in regards to the access control set by the user.
Hence, when a public user(not logged into account) can view and access the uploaded file which access setting has been set to public, but will not be able to see the files which control access setting has been set to either 'private' or 'logged in user'.
Task
What I would like to do is to change the control access, such that public users (not logged into account), cannot view or access the uploaded file. Hence, even if the user has set the control access setting to public, non-logged in user cannot view and access that uploaded file, therefore, all the public user can see is an empty list.
Therefore, I would like to ask is should I be changing the Elgg framework within the directory /Elgg/views/default/output/access.php to achieve the desired outcome or can I change it within the view of the plugin mod: Elgg/mod/plugin/views/default/object?
Elgg is designed to be plugin-centric, so the proper approach is to create your custom plugin that will override elements you need from core and 3rd party plugins alike. We explain motivation here: http://learn.elgg.org/en/1.12/guides/dont-modify-core.html
What I understand, you wan't to force files to be restricted to logged-in users or more. There is an access level for that already, you just need to enforce it.
We need to change two elements:
file saving displayed edit form to not display unwanted access levels
file saving action to reject unwanted access value
Ad. 1 You could override the view forms/file/uploads and replace call to input/access with custom version that filters unwanted values. It's better than altering input/access view that's used all over the place.
Ad. 2 You can either override whole file/upload action (which is nasty due to copying ton of logic) or just use plugin hook that will do additional control. Here you have the hook that allows you to break action when you detect invalid input value: http://learn.elgg.org/en/1.12/guides/hooks-list.html#action-hooks
As stated by Paweł Sroka, it is highly unadvisable to modify the main Elgg core framework. Hence, the proper approach is to either create a plugin or to modify the existing plugin.
Hence, as mentioned in the question, the main task is to prevent any non-login user from having the access to view and access the listed items. Therefore, what I have done is to implement 'gatekeeper()'
gatekeeper() -> function to allow user to manage how code gets executed by applying access control rules. Furthermore, when applied, it will forward non-login user to front page thus protecting the content of the restricted page from being viewed.
Finally, 'gatekeeper()' is implemented within the following directory prior to my question: elgg/mod/plugin/pages/plugin/all.php
I am working on a project right now which requires a user to register and Sign up on some different domain and view its pages on other domain. to make you understand the scenario
The user will login,register and access his profile on domain1.com while will veiw other pages on domain2.com which will be accessible once logged in through domain1.com. I had build this whole project under same codeigniter project and need to know if I can keep the folder as it is and add rules per page so that some pages are only viewable through domain1.com and other only through domain2.com ?
Any help will be appreciated
I have done the same thing some time back, not sure if this is good approach -
modify index.php to include some globals like - SITENAME based on $_SERVER["SERVER_NAME"].
Have a BaseController and let all other controllers extend from this one.
In BaseController -> index() do the required validation, may be set some globals for models and views.
It is better to separate the views, for this use a wrapper or a common view generator file which will get the view files from specific views folders.
Use the globals specified in
BaseController to fetch domain specific data from Database.
However, the way to go would be to have different setup for all the different domains. That way you have a lot of flexibility in modifying the code later on. Otherwise with the approach discussed above - you might end up with a lot of if-else conditions.
So here is my situation:
I got a plugin directory that all needs the same functions. So i wrote a general.php with the common functions that is used by every plugin. Now i could let the developer of the plugin include my general.php file but this could be very annoying for him/her since its very nested so when a developer wants to include it he/she gets this: include '../../../../../../../lib/general.php' So what i did is let the plugin loader include the general file beforehand so that the developer wont need to access the general file every time it has a new file. Now this works and all until the developer does a form and needs to get POST data.
But i can't access the POST data inside the include, is there a way to access the POST data from the include file?
The loading kinda goes like this:
include '../lib/general.php';
include Plugin::GetPluginViewPath;
i can't access the POST data inside the include,
You can.
is there a way to access the POST data from the include file?
Yes. Just access it.
As long as $_POST array is populated and not unset by some code, it is perfectly accessible everywhere.
Of course you should include PHP files, not HTTP resources, though
I have a web app that lets users store files which contain sensitive information.
So far I've written code so that if they which to view their files, they go through view.php?id=xx and a check is done through a database to confirm that they are allowed to look at said file. As an example, John uploads "information.pdf" to the folder "uploads" which is found at "www.mysite.com/uploads", so the file's exact path would be "http://www.mysite.com/uploads/information.pdf", and in the database this same file has an id of , say, 2, so he would get to it via view.php?id=2.
Question
How do I stop anyone from just going to the exact path and looking at his sensitive file?
What I've done
Written the code to only allow access to files if users go through my website, not directly.
I have looked at the recommended questions for the same title, however have had no luck.
Any help would be greatly appreciated.
Don't put it in a publicly accessible path like http://www.mysite.com/uploads/. Put it outside htdocs and only allow access through your view.php
If you want to give download facility to the owner just create adownload.php that checks permission same way as view.php but instead of viewing it lets the user to download.