close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

restricting access to some template pages

Thread began 3/03/2015 7:24 am by CraigR | Last modified 3/03/2015 12:22 pm by Jason Byrnes | 1544 views | 5 replies |

CraigRBeta Tester

restricting access to some template pages

I have been asked to create a secure download page, using a page based on a PowerCMS template, as the site uses this extensively

Obviously, I only want a specific page to be restricted, without affecting other pages based on this template.

The approach I have taken is to check the page url for a certain string, and if present, load the conditional content.

The same logic applies when checking for page access.

eg to check which page is loaded

php:
<?php

  $url 
$_SERVER['REQUEST_URI'];
  
$downloadspage = (stristr($url'downloads') === FALSE)?'0':'1';
  
$loginpage = (stristr($url'login') === FALSE)?'0':'1';
?>



to check if admin is logged in

php:
<?php if ($loginpage === '1'  {

  if (!
WA_Auth_RulePasses("Administrator")){
    
WA_Auth_RestrictAccess("redirectpage.php");
  }
?>



I plan to store the files themselves outside of the site root and use WA file manipulation to download

As it is all server side, it seems a safe, sensible way to go about it, but as the client is very cautious re security, I wanted to check that it seemed a sensible approach to take, as I haven;t done this with PowerCMS pages before, and wondered if there were any additional measures or other course I should take

Sign in to reply to this post

Jason ByrnesWebAssist

this won't be very secure using a URL variable. any body could add the URL variable to gain access.

The page access uses a security assist access rule that is based on a session variable set at login. you can create additional access rules and use the security assist show region to show the content if the access rule is met.

Sign in to reply to this post

CraigRBeta Tester

Sorry, maybe i wasn't clear enough im my meaning, i am not using the url itself as security.

Access to the url, i'm not bothered about, - using the url variable is only giving me a value so i can set some conditions to tell the page which sections to load.

eg load a login form on a login page

I am doing this as the page is based on a PowerCMS template

The access rule is initiated only if the page has a string in the url, as i only want to invoke the access rule on specific 'pages'

so for example, the secure page is part of the general page template.

only if this 'page' is loaded, the access rule is initiated.

The access rule uses the same login security as power cms, and limits access to members with an entry in the users table

(I have further secured PowerCMS so this is now only available to Super Admin, - as is in-line editing, by changing the rules in WA_CMS.php)

Does that make more sense, or is this scenario still insecure ?

Sign in to reply to this post

Jason ByrnesWebAssist

Ok, yeah, that makes more sense. I don't see an obvious flaw in this.

Sign in to reply to this post

CraigRBeta Tester

thanks, - thought it was ok, got me worried for a minute ;-)

Sign in to reply to this post

Jason ByrnesWebAssist

sorry to work you.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...