User Relationships works well to control node access to content per an approved user list.
But the problem I am running into is that I would like to also use the core Profile module, and allow those who are connected via User Relationships to see each others user profiles. I have spent 2 hours trying to figure out a way to not allow a user to spoof the URL and see any user account (Access User Profiles permission is required to see user profiles currently).
I thought of a couple solutions to fix this. What I want to do is serve a 403 page if the URL is spoofed and the requesting user has no access.
Here is what I was thinking:
Disable Access User Profile permission
Call hook_menu_alter or hook_menu_link_alter in a custom module
Change access callback to a custom function, check for user relationship
If no relationship exists serve a 403, otherwise return user_view
I wanted to get some thoughts on this, because I want this check to happen on the user profile page. hook_init() seemed too beefy.
Would this be an effective solution? Thoughts? Or is there a module that will allow me to do this quickly?
All you need: CCK Private Fields + Content Profile
Related
I am making a small webpage with Laravel that has User and Admin roles.
My 'users' table consists of name, email, password and role value (0 for user, 1 for admin).
I dont need anything fancy so can I just make it so every time a normal user loads in a page that's meant for the administrator - he gets redirected?
To be more precise: How can I make it so whenever a new page loads, the users role gets checked and then my if or can statement checks if the users allowed to access the page?
For example I have a view:
results that displays all the match results(can be accessed by everyone) and I also have an admin/RESULTSadmin view, that should only be accessed by a user that has an admin role but the rest needs to get redirected. Thank you in advance!
You can make parent controller with method which should check what you need and extend your controller from that (kind of old way but most simplest)
Another option make some middleware to check access
Also please take a look on laravel auth mechanism : https://laravel.com/docs/9.x/authentication#password-confirmation-protecting-routes
I have seen Joomla using many types of user access for the admin site. For example user, admin user, registered user and super user. The system actually know what type of user you are once we logged in. I'm trying to do the same thing for my web app. I need any suggestions on how this features can be achieved using PHP.
Assuming a user is in a database, you could have an column like role which would be user, admin, registered, and super.
Then in PHP you can use switch / if-condition blocks based on that role variable.
My tool uses:
PHP for scripting.
mySQL for DB.
Apache for host.
There will be 2 groups of users.
I want to give access to 1 group of users only for 2 webpages.
The other group of users will have the access for all the pages and links.
Is there a way I can hide certain links on a webpage from a certain group of users, too.
How can I achieve this.
Fairly new to programming.
Any help will be greatly appreciated.
Thank you.
Lets say, Admin & normal user.... in that case we will have a column in the user table which will store he/she is admin or not. When you do authentication, fetch this value & keep it in SESSION. So in every page you check this person is admin or not with that session value using if clause.
It's hard to give any fitting exmaples without code, but if you have a MySQL and know some PHP, the basic way of solving this problem would be connecting to the database, checking what group the currently logged in user is (check by ID or however you set things up) and wrapping if statements around the links you want to hide from certain people that check if they belong to the right group to see said pages. You can also hide the pages from them by just putting a check whether they can see the page content or not on top of the content and throwing some sort of no permission error when needed. For this basic example hard-coding the groups into the files should be sufficient. If you plan on expanding all this later on, I'd maybe make a seperate table in your database controlling page view permissions.
You can also include HTML code in your PHP if statements by just closing the PHP section after the if (?>) and put the closing bracket of the if at the end of your HTML menu for the secret group (<?php } ?>).
If you provide us with some code snippets, we can maybe help you a bit more with examples.
There are many ways you could achieve this.
How to 'hide' the page
A good way to really hide the pages would be to check the type of user before displaying anything. If the type of user has access to the requested page, display it. If the user does not have access, you could send a 404 page not found error.
This way, user which does not have access to the page wont even know the page exist even if they have the URL.
Authenticate the user
As mentioned by Akhil Sidharth, you can use a $_SESSION variable to keep the type of the user trying to view the pages.
Every application now a days is using group, permission and capabilities to restrict site/application users from accessing the page/content/link within the site/application. Sometime group might be refereed as role to organize users. Let me describe -
Group/Role - Role might be - Admin, Manager, Employee, Customer etc. Your application should have role management system where you can manage(add/edit/delete) the roles/user-groups. These roles should be stored in DB tables.
Permission - Permission might be Allow, Deny, Restrict etc.
Capabilities - Capabilities might define the list of works/actions/activities that a user can take on your site or on a particular page. Some examples are - a. Can View XY*Z link b. Can View X*B page c. Can create user d. Can assign permission e. Can change permission etc.
Apart from this, your application should have two addtional management page -:
Configure capabilities & permission for the said roles, where you can configure and set capabilities either 'Allow'/'Deny' for the roles.
Role to users - This is the page where you can put the users into a particular role.
In this way you have the idea, what a particular users have rights/permissions to do on the site & restrict the users over accessing the contents/pages/links accordingly.
Alternatively, the simplest way for you now is to add a 'type' field in your user DB table. Add a drop down of users types where you are creating/updating the user & save the user type in your user db table. Restrict the user on the basis of user type accordingly.
I'm building a SaaS with Symfony 2. Currently I'm adding registration of users to the application, but I don't know how to start.
I have no problems with basic user registration and login, my problem is another: When a user logs into the system, he must fill his company information. Even if the user goes to another URL, he must be redirected to the company information screen and he can't continue until he fills the company data. And the truth is that I have no idea of how to do this.
Can you help me, please? I know that I can add some checks to all of the controllers, but this is just an ugly hack...
If the company information is important, add those fields to the register page. Don't create the account until all fields are filled.
Hard to answer without knowing anything about your application architecture. There's more than one way to do it.
One possible solution would be as long as the user did not fully fill out all the required information his account is locked, so whenever he tries to get onto another URL the access is denied (so essentially you've got three user states in your database or session storage or whatever) unless he enters his profile page and fills out all the requried information.
If he did so, his status changes to a "fully valid" user and he can login and browser the page however he likes.
So you don't have to check it on every page - just check if the user is logged in, locked or logged out.
If you have some kind of groups or roles in your application you could put your user into the "invalid" or "notcomplete" group which has basically no access to the application's pages.
HI,
i am writing and designing a website with php.in this site every want can register and admin can go to admin.php for manage the site.but my problem is that every one that type www.example/login/admin.php can access to admin.php.how can i prevent other users that can't access to admin page?
You probably want to look at .htaccess file. Check this link out
You have to do the login page for the admin.php. Only if the people with the correct username and password can see the admin page and do the admin action
How do you define terms like "user" and "admin" and what is the process for creating/registering an account?
Generally, you would associate "users" with "roles" in your database. If a user account is supposed to be an admin, you associate that user record with the admin role. If the user is a standard user, associate them with the standard user role (which may be the default by having no role, though I'm not a big fan of implicit knowledge vs. explicit definitions in software). Users should also be able to have multiple roles, in case you have various classes of "user" and they need to have overlapping privileges.
Then, in the admin section of the site, your code would check if the current logged-in user (however you track that, you didn't specify) is in a given role before rendering the page. If not, then either send the user to another page or display a message, etc.
If every user can access the admin page, then essentially every user is an admin. How do you distinguish one from another in the code or in the data? That's where you need to start.