1

Topic: Restrict access to profile pages

How can I restrict access to profile pages and the users list to registered members only?

Re: Restrict access to profile pages

Userlist can be hidden to guest from the admin panel.
Go to yourhost.tld/admin_groups.php?edit_group=3 and remove access to the userlist, for the profiles you need to modify the source and that would be a modification (we're in the Troubleshooting section right now).

Re: Restrict access to profile pages

Userlist isn't possible without a mod I believe.

Re: Restrict access to profile pages

See the simple code to do this at:

http://www.punres.org/viewtopic.php?pid=13645

5

Re: Restrict access to profile pages

Following instructions from the previous post I added this code to profile.php

if ($pun_user['is_guest'])
{
    require '../common/headerlite.php';
    echo '<meta content="5; URL = http://mywebsite.com/forum/login.php" http-equiv="Refresh" />';
    echo '<div class="leftbar"></div><div class="midbar"><p>You must be logged in to view member profiles.</p></div>';
    include     '../common/footer.php';
    die();
}

It works. Profiles are only accessible if you're logged in.

But that creates a huge problem when a user forgets his password and lets the system send a new password. The activation link looks something like this:

...forum/profile.php?id=11&action=change_pass&key=IJGix8Sy

But profile.php no longer allows access to users that aren't logged in. And I guess this modification even makes it impossible for new users to sign up and activate.

Is there a way to restrict access to just the "user profile" in profile.php, but leave elements needed for activation open? Is there a way to seperate these conflicting functionalities within profile.php.

6

Re: Restrict access to profile pages

In profile.php, near the top of the file:

// mod: no guest view
if ($pun_user['is_guest'] && $action != 'change_pass')
{
        require_once PUN_ROOT.'header.php';
        message($lang_common['No view']);
}


In userlist.php, again near the top of the file:

// mod: no guest view
if ($pun_user['is_guest'])
{
        require_once PUN_ROOT.'header.php';
        message($lang_common['No view']);
}


Change the 'No view' to whichever lang file entry you wish to have returned.

7 (edited by Peter 2007-08-23 16:46)

Re: Restrict access to profile pages

MattF, thanks, but I don't get your reply. It's basically the same code I already had, isn't it? Yours is more standard PunBB. In my customization I bypass the language file system where I can because I only use English. The language system is confusing to me.

What does this bit of code do?

&& $action != 'change_pass'

Does it exclude the change_pass action from the no-view-for-guests restriction? To me as a non-PHP coder it looks like it specifically closes change_pass to guests, which would be the opposite of what I want.

Is change_pass the only action in profile.php I should leave open for users that aren't logged in? How about activation for new users?

8

Re: Restrict access to profile pages

Peter wrote:

MattF, thanks, but I don't get your reply. It's basically the same code I already had, isn't it? Yours is more standard PunBB. In my customization I bypass the language file system where I can because I only use English. The language system is confusing to me.

Then just enter whatever message you wish to have displayed within the message("[Your message here]") bit, instead of a language file entry.


Peter wrote:

What does this bit of code do?

&& $action != 'change_pass'

Does it exclude the change_pass action from the no-view-for-guests restriction? To me as a non-PHP coder it looks like it specifically closes change_pass to guests, which would be the opposite of what I want.

It does exactly what you asked. It allows guests to access the change pass section and nothing else within the profile.php script.

Peter wrote:

Is change_pass the only action in profile.php I should leave open for users that aren't logged in? How about activation for new users?

Add whatever else you need to that exclusion.

9

Re: Restrict access to profile pages

Thanks MattF, I'll try this. :-)

I don't have a clear picture what other necessary actions there are in profile.php and how to add them to the exclusion. What would the syntax be? For a non-coder it's hard to guess or google.

10

Re: Restrict access to profile pages

Using that example above, and adding a made up extra exclusion, the syntax would be:

if ($pun_user['is_guest'] && ($action != 'change_pass' || $action != '[some made up action]'))
{
        require_once PUN_ROOT.'header.php';
        message("No guest access allowed.");
}

11 (edited by Thomas2 2007-09-10 11:28)

Re: Restrict access to profile pages

There is a simpler solution: just don't write the userlist-link anymore for guests, i.e. in the function generate_navlinks() in functions.php replace


$links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';


by


if (!$pun_user['is_guest'])  {
$links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';
}



Furthermore I also removed the link to the profile of the newest user by removing


<dd><?php echo $lang_index['Newest user'] ?>: <a href="profile.php?id=<?php echo $stats['last_user']['id'] ?>"><?php echo pun_htmlspecialchars($stats['last_user']['username']) ?></a></dd>


from index.php (I also removed the corresponding database query somewhat above that line).


Thomas

Re: Restrict access to profile pages

@ Thomas

Only removing the link from guest view won't stop them from accessing the user list or profile page..

You need an if ($pun_user['is_guest']) statement on both User List and Profile to make sure that they don't access the page.

13 (edited by Thomas2 2007-09-10 14:30)

Re: Restrict access to profile pages

PhaxeNor wrote:

@ Thomas

Only removing the link from guest view won't stop them from accessing the user list or profile page..

You need an if ($pun_user['is_guest']) statement on both User List and Profile to make sure that they don't access the page.

Yes, that's obviously true, but actually preventing access to the userlist and profiles for guests is probably not the problem here. I for instance was primarily concerned about reducing the number of entry points for search engines and other spiders into the forum in order to reduce the amount of unnecessary traffic. And links are realistically the only way of getting into the forum. So with no links to the userlist or any profile on the index page, the only way to any topics is over the forum links (I have even forbidden the 'last post' links for the major search engines with a corresponding rewrite directive in an .htaccess files (which rejects requests with 'pid' in the query string)).
Besides, I have renamed some pages throughout (including userlist.php), in order to evade any attempts of looking for certain pages in the first place.

Thomas

14

Re: Restrict access to profile pages

Renaming the pages without imposing access restrictions upon them will do sod all for security, if that is your concern. Removing the links is beneficial, (merely from the point of not displaying links that a guest cannot access, thereby them being irrelevant within the context), but the actual access restrictions should be within the pages themselves.

Re: Restrict access to profile pages

I havn't renamed my pages but I send the guests back to the index page with

header('Location: index.php')

So they won't even get a message that they can't access this page..