I have a website which direct the users to a Joomla 2.5 page, but I would like to keep my content (just an article) private and to be accessed just by authorized users (by IP) without their log in.
I have already searched a plugin, but I just found solutions with log in.
Can you suggest me a solution?
I haven't seen any plugins that support such a feature but one method (not the most efficient one) would be to edit the template index.php file like so:
<?php
$allow = array("IP 1", "IP 2", "IP 3"); //allowed IPs
if(in_array($_SERVER['REMOTE_ADDR'], $allow) && in_array($_SERVER["HTTP_X_FORWARDED_FOR"], $allow)) {
// all your template code in here
}
else {
//redirect if IP isn't allowed
header("Location: http://google.co.uk");
exit();
}
?>
I haven't tested the code above so please bare in mind it may not be 100%
You may actually be interested in this Joomla Plugin.
http://www.yireo.com/software/joomla-extensions/auto-login-ip/packages
Just saw it whilst writing this answer. It automatically logs a user in from a specific or range of IP addresses. There is a free version, however it doesn't come with onsite or email support which shouldn't be a problem. Once installed, simply restrict your articles/content to registered users only.
Hope this helps
Related
When testing my application and trying to create a new user then on form submission I am getting error 419.
If I use a helper to log in using Auth::loginUsingId(x) for an existing user then dd(auth()->user()) is successful but when I redirect to another page the user is no longer logged in. eg running the following code, you end up getting redirected to /login:
Route::get('/logInAs/{id}', function ($id) {
Auth::loginUsingId((int) $id);
dd(\auth()->user());
return redirect()->route('dashboard');
});
I would share more code but I'm not sure what would be useful at this point?
I've probably spent about seven hours trying to fix this so far. It's driving me up the wall!
The app works fine on other environments, such as staging. I've even gone so far as to re-download it from github as a fresh install (in case I was messing about in vendor directory and changed something), but that hasn't fixed it.
I get the same issue on Chrome, using different signed in users on Chrome, using incognito mode on Chrome, using Firefox, and using valet share and accessing my local version on another device, like a phone, so I don't think it is to do with browser caching.
When other devs working on the project run it locally on their machines I haven't had reports of this issue, so it seems to just me my local environment.
I've variously tried changing CACHE_DRIVER and SESSION_DRIVER in .env to no joy, but I'm beginning to lose the will to live so don't really know if I'm doing the right thing there - please help if you can!!
Edit to add more detail:
Middleware on the dashboard route:
Route::middleware(['auth:sanctum', 'verified'])->group(function(){
Route::get('/dashboard', DashboardController::class)->name('dashboard');
});
If I remove the middleware then I just get an error that user is null on dashboard.blade.php, ie the user is still not staying logged in.
A custom middleware:
class VerifyUserIsMerchant
{
public function handle(Request $request, Closure $next)
{
if ($request->user()->isMerchant()) {
return $next($request);
}
throw new AccessDeniedHttpException('You must be a merchant to access this page');
}
}
If I dd($request->user()) in this middleware it returns null.
The issue got fixed with the help of Laracasts. The full answer is here.
In short, I needed to remove the http:// protocol from SESSION_DOMAIN in .env and set it to match APP_URL.
This was the correct answer for this issue. It was deleted by a moderator. Moderator, before you delete this answer as well please can you explain why?
It provides the full answer to the issue raised in the question. I did not find this answer to this issue anywhere else (hence why it took me several days of debug to fix).
If I can know why it was deleted, I can then understand how to avoid making answers in the future that also would be deleted. Thank you.
After an update or a fresh install of vtiger 6.2, it's possible that contact photos don't appear. It looks like a dead link.
Problem
vTiger 6.2 puts all your uploads (incl. user & product pictures) into /storage and denys access to this folder from the web through a htaccess-File (/storage/.htaccess):
deny from all
These files will only be accessible by the webserver/php directly, which is perfect from a security point of view and it should be kept that way (deleting this htaccess-file is a very bad thing, cause then everybody outside will be able to read your files given he has the right path)!!!
The correct way to deal with these files inside the Web-Application would be to never reference the files directly in HTML (<img src="path/to/file">, cause you would not see them due to the htaccess-File) but to always route their data through a gateway-PHP-Script which checks if the requesting user is authenticated (<img src="file.php?filename=path/to/file">). The PHP-Script can (as I said above) bypass the Apache/htaccess-Security cause it directly accesses the filesystem. This is done in the Document-Section where you can see that downloading a file leads to "http://domain/index.php?module=Documents&action=DownloadFile&record=10&fileid=11"
However, unfortunatly vTiger has places in its Web-Application where it still references files in /storage directly in HTML as with User Pictures and Product Pictures therefor they are not shown.
UPDATE: Bugfix
I found that the Apps Contacts, Users and Products have this problem.
I bugfixed them in 2 steps:
Add Actions for each App as Gateway-Scripts
Create the files (vTiger is installed on /opt/vtiger)
/opt/vtiger/modules/Users/actions/DownloadPicture.php
<?php
class Users_DownloadPicture_Action extends Vtiger_Action_Controller {
public function checkPermission(Vtiger_Request $request) {
$moduleName = $request->getModule();
if(!Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $request->get('record'))) {
throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $moduleName));
}
}
public function process(Vtiger_Request $request) {
$userRecordModel = Vtiger_Record_Model::getInstanceById($request->get('record'), $request->getModule());
$userPictureDetails = $userRecordModel->getImageDetails();
$pictureData = file_get_contents($userPictureDetails[0]['path'] . '_' . $userPictureDetails[0]['orgname']);
header("Content-type: image/jpeg");
header("Pragma: public");
header("Cache-Control: private");
echo $pictureData;
}
}
?>
/opt/vtiger/modules/Products/actions/DownloadPicture.php
The same but: class Products_Download...
/opt/vtiger/modules/Contacts/actions/DownloadPicture.php
The same but: class Contacts_Download...
Adapt the Templates to serve Image-Tags with the Gateway-Script
Go in the files, find the <img ... >-Tag and change its src-Attribute:
/opt/vtiger/layouts/vlayout/modules/Users/ListViewContents.tpl
index.php?module={$MODULE}&action=DownloadPicture&record={$LISTVIEW_ENTRY->get('id')}
/opt/vtiger/layouts/vlayout/modules/Users/PreferenceDetailViewHeader.tpl
index.php?module={$MODULE}&action=DownloadPicture&record={$RECORD->get('id')}
/opt/vtiger/layouts/vlayout/modules/Users/UserViewHeader.tpl
index.php?module={$MODULE}&action=DownloadPicture&record={$RECORD->get('id')}
/opt/vtiger/layouts/vlayout/modules/Vtiger/DetailViewBlockView.tpl
index.php?module={$MODULE}&action=DownloadPicture&record={$RECORD->get('id')}
/opt/vtiger/layouts/vlayout/modules/Vtiger/uitypes/Image.tpl
index.php?module={$MODULE}&action=DownloadPicture&record={$RECORD_ID}
/opt/vtiger/layouts/vlayout/modules/Contacts/DetailViewHeaderTitle.tpl
index.php?module={$MODULE}&action=DownloadPicture&record={$RECORD->get('id')}
Now it is for sure you can see your pictures everywhere, but without beeing logged in you cannot access the files!
Possible open problem: I do not know so much about rights management in vTiger to tell you that now only users with access rights on the records have access to the files. It is possible that now every user can access them. If somebody knows how to control this. Please comment!
Hope everything works out, as by me.
Servus
Lukas
To solve that, simply yourself connect to your server through an FTP client. Empty or remove the ".htaccess" file in the "/storage" folder.
That's it!
Or in the .htaccess file change from:
deny from all
to:
Options -Indexes
I rewrote my .htaccess file from "deny from all" to…
# If the URI is an image then we allow accesses
SetEnvIfNoCase Request_URI "\\.(gif|jpe?g|png|bmp)$" let_me_in
Order Deny,Allow
Deny from All
# Allow accesses only if an images was requested
Allow from env=let_me_in
Now my images show up.
In Magento CE 1.8, it appears {{var logo_url}} defaults to using an HTTPS link in its transactional emails (if SSL enabled). This causes an issue in Outlook, because Outlook will not display images with an SSL URL.
Is there any "easy" way to force {{var logo_url}} to HTTP?
I don't think it's a good idea to enforce anything to be HTTP instead of HTTPS but well... The easiest way I can think of would be to extend Mage_Core_Model_Email_Template_Abstract in a own extension (better) or to overwrite it in your local code pool (faster and okay but not so clean) and adapt the function _addEmailVariables($variables, $storeId).
For the sake for demonstration I'll show the second approach:
Copy app/code/core/Mage/Core/Model/Email/Template/Abstract.php to app/code/local/Mage/Core/Model/Email/Template/Abstract.php and create any folders which don't exist already in app/code/local/.
Now in app/code/local/Mage/Core/Model/Email/Template/Abstract.php in the function _addEmailVariables($variables, $storeId) look for
if (!isset($variables['logo_url'])) {
$variables['logo_url'] = $this->_getLogoUrl($storeId);
}
and replace it with something like this
if (!isset($variables['logo_url'])) {
$variables['logo_url'] = str_replace("https", "http", $this->_getLogoUrl($storeId));
}
Not tested but this should work. You can adapt this approach in an own extension as well. Check out the excellent articles on http://inchoo.net/ if you are not familiar with the proccess (http://inchoo.net/magento/overriding-magento-blocks-models-helpers-and-controllers/ is a good starting point).
I have made an script that replaces the posting.php in some forums, but without login in, I can post with it... which code I need to add or edit to make that check?
My script only has a form with some inputs and a submit button, and some lines of phpbb3 to integrate it with theme, and to use the submit_post function.
But I dont know how to restrict the script to logged users....
I have tried to read posting.php, but nothing was solved...
Could anyone help me?
My assumption is that you already have access to the $users object from PHPBB.
Since the first user in the system is Anonymous (and PHPBB uses this as the guest account), you can check if that is the user currently being used.
if ($user->data['username'] == 'Anonymous')
{
echo 'Please login!';
}
else
{
// Your existing code
}
I have the following controller action, which redirects to the login page if no user is logged in:
public function requireloginAction() {
if(!Mage::getSingleton('customer/session')->isLoggedIn()) {
// Not logged in
// Save requested URL for later redirection
Mage::getSingleton('customer/session')->setBeforeAuthUrl($this->getRequest()->getRequestUri());
header("Status: 301");
header('Location: '.Mage::helper('customer')->getLoginUrl()); // send to the login page
}
else {
// Logged in
.. do something ..
}
}
By using setBeforeAuthUrl, once the user logs in he/she is redirected back to this action.
Problem:
If instead of logging in, the user, creates an account he/she is then redirected to the main page, rather then to the url set in setBeforeAuthUrl.
Question:
Is there something similar to setBeforeAuthUrl that works with Account Creation too? Or how can I achieve the desired effect?
(Magento Version 1.6)
You can try using the following extension. http://www.magentocommerce.com/magento-connect/MagePsycho/extension/3763/custom_login_redirect
Or you can also open app/code/core/Mage/Customer/controllers/AccountController.php and look for the createPostAction() function around line 328 edit:
$url = $this->_welcomeCustomer($customer);
$this->_redirectSuccess($url);
to
$url = 'http://www.mycustomrediurecturl.com';
$this->_redirectSuccess($url);
If you want to do it the nice way override the controller add configuration options and make it a module :)
Cheers
Found solution.
First of all, setBeforeAuthUrl($url) does work for both "Log In" and "New Account Creation"!
The main difference (and the reason I had the problem) is that for a "New Account Creation" Magento checks if $url is within the domain name of the current store and if it is not, it redirects to the "My Account" page. While the redirection for "Log In" redirects to any $url.
I do not know if this is a bug or a feature (I'm using V1.6.0.0).
So just make sure to redirect to a url within the domain name of the current store - especially in a Multi Store configuration.