I'm building a small web app to sit within an existing Wordpress membership site.
At the moment, all of the content is protected using Digital Access Pass, which handles user authentication and content protection.
I'm thinking of using Yii for this, and installing it into a subdirectory of the Wordpress site.
My plan is to have this layout:
www.site.com (wordpress blog)
www.site.com/members (content protected with the Digital Access Pass membership solution, set up in Wordpress)
www.site.com/members/app (yii folder - protected by DAP, but not set up in Wordpress)
I don't want to do a full integration, as I'm using a lot of Ajax and that doesn't look like it will work too well from the examples I've seen.
What I'd like is to use DAP to protect the pages and handle authentication, and also to pass the logged- in userid to Yii so I can use as a key to store user preferences, user data, etc.
The way DAP works is that you just insert the following code into any page you want to protect, and then you can access a User object that contains the info I need.
<?php
include_once "../dap/dap-config.php";
$user = null;
if( !Dap_Session::isLoggedIn() ) {
//send viewer to login page
header("Location:".SITE_URL_DAP.Dap_Config::get("LOGIN_URL"));
exit;
}
else if( Dap_Session::isLoggedIn() ) {
//get userid
$session = Dap_Session::getSession();
$user = $session->getUser();
$user = Dap_User::loadUserById($user->getId()); //reload User object
if(!isset($user)) {
//send viewer to login page
header("Location:".SITE_URL_DAP.Dap_Config::get("LOGIN_URL"));
exit;
} else {
$userProducts = Dap_UsersProducts::loadProducts($user->getId());
}
}
?>
How do I go about implementing this in Yii?
I'd start by taking a look at Yii Filters
You should be able to put your code in the filter and then have it run (much like the built-in Access Control Filter)
And then, if you're going to build your app truly Yii-like, you might want to work on wrapping the DapUser in a CUserIdentity class and making it work well with the CWebUser object. It would take a bit of work, but then you'd truly have easy access to the user info in all Yii objects.
Good luck!
Related
I am designing a website using Yii2 framework and want to include a Google Analytics tracking code. I guess the best place to include it such that it gets generated in all the is the main.php layout file.
My concern is what will happen if it gets generated in a page that requires a user to log in and may contain data confidential to them. Does it matter, since it is not search indexing, or is there any other check for authorized pages that I should do before generating the script? How?
Regards,
Shahid
If that is the case you just need to check it in your layout may be main.php in your case if user is authenticated or not using this.
if you are setting username for login
$privateUrl = ['user/create','user/view'];
$currentUrl = Yii::$app->controller->id . '/' . Yii::$app->controller->action->id;
if (in_array($currentUrl, $privateUrl)) {
if (Yii::$app->user->identity->username) {
// GA for authenticated users only
}
} else {
// GA for guest
}
We can have one or more controllers to process and show all protected pages and have the following code in main.php.
<?php
$gaBlackList = ['protected'];
if (!in_array(Yii::$app->controller->id, $gaBlackList)) {
include_once('/config/tracking.php');
}
?>
I am in the process of building a website (via MODx), and I don't want "non-logged in" users to be able to see the home page, but instead be redirected to an "under construction" page.
In my snippet, this is what I have so far:
<?php
if (! $modx->user->hasSessionContext($modx->context->get('key')) ) {
$modx->sendRedirect('https://google.com');
} else {
return '';
}
Sadly, this appears to not do anything, regardless of whether or not the user is logged in. (It apppears to be a problem with the second line, the actual redirect worked fine when I tested it)
I am unable to figure out what is wrong, and any help is greatly appreciated!
The snippet that is in the page is [[!notloggedin]]
These are right out of Bob's guides, but basically what you want to do is check to see if the user has an ID or username, if not, they are not logged in.
You probably want to do a bit of digging and see if you can implement your redirect in a plugin rather than a snippet possibly an onRequest event - so you are not rendering the page/resource before you discover that the user needs to be redirected.
There are various methods. One easy method is to use this code:
if ($modx->user->get('username') == '(anonymous)') {
/* user is not logged in */
}
Here is the official method for seeing if the user is logged in to the current context:
if ($modx->user->hasSessionContext($modx->context->get('key'))) {
/* user is logged in */
}
If you know the name of the current context (e.g., web), you can use this method. The name of the context is required:
if $modx->user->isAuthenticated('web') {
/* user is logged in to web context */
}
If your site is simply not yet ready to be publicly available, MODX already allows for this.
See the following System Settings:
site_status
site_unavailable_message
site_unavailable_page
Alternatively, just set all your resources to 'unpublished', except for your custom error page. Logged in users will still be able to view all resources.
I am having an issue with the php Facebook sdk.
I have read many posts talking about the same kind of issues (Access token invalid, redirect loop etc...) but none could help.
Briefly, how my project is designed:
It is a Facebook application that is meant to run only with a user logged in Facebook.
Using the Yii Framework, I have created a Filter that is called every time a page is loaded, to ensure that the content is visible only by Facebook logged on users.
It should behave exactly like the application BranchOut on Facebook.
My issue, and how to reproduce it:
I logon to my application using the typical login process from Facebook (OAuth, access token)
I logout manually on the Facebook page, and then try to do a new action on my application
The filter checks if I am logged on Facebook, and because I am not, it redirects me to the Facebook login page.
After I login to Facebook again, I get the typical infinite loop between Facebook and my application's filter.
Here is the code of my filter:
$fb_logged = false;
try
{
$user = Yii::app()->facebook->getUser();
$me = Yii::app()->facebook->api('/me');
$fb_id = $me['id'];
$fb_logged = true;
}
catch (Exception $e)
{
$fb_logged = false;
}
if($fb_logged)
{
print_r($fb_id. ' has logged');
/* Check if user exists on MyApp
... */
}
// If user NOT logged on FB, send him to the FB login page
else
{
$loginUrl = Yii::app()->facebook->getLoginUrl(array(
'redirect_uri' => Yii::app()->getRequest()->getUrl() // I have tried many things here.
));
echo("<script> top.location.href='" . $loginUrl . "'</script>");
Yii::app()->end();
}
What is exactly happening is that after login on FB, the Filter is called again, because a request to the same URL is made. And at that point, the a call the api('/me') generates an exception, because it cannot find any valid access token, and starts looping on it.
I can add that my configuration is good (or seems to be), I have checked all my urls, domain name according to Facebook's app settings.
I have also tried many things like redirecting to a new specific URL, but anyway I need to use the filter as well because I want to make sure this is still the same user (or act consequently if the user has changed).
The only thing that works is to redirect the user to a page that has no Filter (no call to api("/me") is done). And then, clicking by hand to a new link in the application, and there the access token is found. And this is not the behavior I want.
I really hope someone can help me!
Thanks in advance.
After your new login attempt, you should get a new code in the URL that is redirect to. So look for that code parameter, and if it’s there, exchange it for a new access token.
Take a look at the yiiauth extension as well. It was posted just today, and with it you can log in with 29 different providers: Facebook, OpenID, Google, Twitter, Yahoo etc.
It uses the HybridAuth library and AFAICT it makes authentication very easy.
I've been googling for days now and have come across different ways to secure folders (htaccess, using a PHP page with a password) but these don't tackle my issue.
The problem:
I need to have a site where different clients can access ONLY THEIR content. Client-A needs to be able to access all their Flash content and websites. Client-B and Client-C need to do the same but none of them can access each others content (even by directly linking to it). A username/password system won't work because each client has 400-1000 users and neither myself or the client has time to manage all these users.
I looked into htaccess and htpasswd but I prefer not to use any username/password combo's. Ideally, I'd like a "secret word" or "passphrase" I could pass from an iPad app or Air program to the server to get the content I need. Anyone have some ideas on the best way to handle this?
EDIT: To simplify things... I want to have HTML sites and Flash swf's above my web root and be able to display them to users. How can I make this happen? I have HTML sites that use relative links so using php's readfile() causes these sites to break since those links aren't correct.
What RDBMS are you using ?
With mod_authn_dbd and a basic authentification you would be able to do so.
Something like this,
AuthType Basic
AuthName "My Server"
AuthBasicProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
If you have control over the software which sends the requests, you could add an own X-header to every request which identifies the user.
With apache_request_headers() you can get your own request header from the request:
http://www.php.net/manual/en/function.apache-request-headers.php
==============
Edit after first comment:
Some code for example:
globals.php
$headers = apache_request_headers();
$key = $headers["X-Authorization-Key"];
$authorized = checkAuthorization($key);
if(!$authorized) {
header('HTTP/1.1 403 Forbidden');
echo "Access denied!";
exit;
}
//... db connection or something else to get user specific definitions, paths, ...
//e.g.:
$user = $users[$key];
define("CONTENT_PATH", "/var/www/mypage/data/".$user);
function checkAuthorization($key) {
//... db connection or something else where the authorization-information are stored in
//check whether the $key is in the auth-info and return true / false for the result
return true; //or false
}
in every script on top:
<?php
require_once("globals.php");
//... work with the user specific definitions, paths
include(CONTENT_PATH."/...");
//...
What you do is when the user creates their login account, they have the option to select what group they are using. Then when page info is displayed, it displays the normal page, but with the permissions name included in it. You would have to build 3 seperate content pages, but they would only see what the content of their chosen group.
homegroup1.php
homegroup2.php
homegroup3.php
if the user is in group one, the direct would be home"group".php for the display. It would call for the group on the site they go to.
I am working on a website which already has user access set up so that only members who are logged in can see certain pages. Now i need to go in and make the access for logged in users more specific. So, anyone who logs in can see the site, but there are 2 pages (called PDQ and Comm Plus) that should only be accessed by users that have PDQ or Comm Plus access. I use a filemaker 10 database to keep track of user information. If the user has PDQ access, then PDQ=1 in the database. the website is coded in Drupal,php, and html.
So right now I have a good idea of what to do but there are some pieces missing and im not very familiar with drupal or filemaker. I need for the page to get the user information and see what the value of PDQ is in the database. If 1 then grant access to the page, and if 0 go to the access denied page.
Here is what I have so far
<?php require_once('DatabaseName');
global $user;
//looks at the current user
$use = $user->uid;
//Not sure what goes here. I need code that looks at the filemaker database to see
//what the value of PDQ is and then stores it in a variable.
if (!session_id()) session_start();
if (!isset($variableGoesHere) || $variableGoesHere == '0'){
drupal_goto("access-denied");
exit();
}
?>
Any help would be greatly appreciated. Also, let me know if im on the right track or if I need to be looking somewhere else. Thanks!
First of all, using Drupal and not using the Drupal system to store info is a bad idea. If you use Drupal, you can use an external source to do the login, but your users should have a drupal user.
When your users are Drupal users things get a lot easier. You can use the Drupal access control system to check access etc.
If Drupal is serving the page, you should never write code like you have shown, hook_menu which is how you register paths has a access callback option, where you can handle your access, or you can just check if the user has a permission. This stuff only applies if you are doing the stuff in a custom module, which is what it seems like you are doing.
In any regard you should use the drupal_access_denied function if you want to return access denied yourself.
I figured this out a long time ago, but I never got around to answering the question. So heres what I did
$WebAuth_find = $FILMAKER->newFindCommand('WebAccess');
$Search_findCriterions = array('Access::cntdPhoneNumberDisplayCalc'=>"==".$find,'Access::phoneType'=>"E-mail",'Access::phoneMain'=>"==1",'LoginAccess'=>'1');
foreach($Search_findCriterions as $key=>$value) {
$WebAuth_find->AddFindCriterion($key,$value);
}
$WebAuth_Result = $WebAuth_find->execute();
if (FileMaker::isError($WebAuth_Result) && $WebAuth_Result->code == 401) {
echo "FM ERROR CODE: ".$WebAuth_Result->code."<br>"."ERROR: ".$WebAuth_Result->getMessage();
This identifies the current user in the Filemaker database under the WebAccess layout. It throws an error message if there is a problem. Now that I am looking at the current user I have it look to see what is in the Comm Plus and PDQ fields in the database, and create a session to hold the information.
else{
$FinalResult = current($WebAuth_Result->getRecords());
$_SESSION['district']= $district;
$PDQ = $FinalResult->getField('PDQ_subscription');
$_SESSION['PDQ'] = $PDQ;
$CommPlus = $FinalResult->getField('CommPlus_subscription');
$_SESSION['CommPlus'] = $CommPlus;
Then I just add the following code to the top of whatever page I want to restrict access to. It looks at the session to see if the current user has credentials if not they are directed to the access denied page.
$PDQ_check = $_SESSION['PDQ'];
if (!isset($PDQ_check) || $PDQ_check == '' || $PDQ_check == '0'){
drupal_goto("access-denied");
exit();
}