smd_access_keys: secure, limited access to content

Dragondz · 2015-03-18 14:18:19

It works like expected!

The salt value get problem, if i use the date from paypal that cause problem (may be due to the gmt+1 time of my zone) then i put a fixed date there, it s note an issue for me, that works like i have thinked it should work.

Thanks Stef for your big help, it s my first time implementing paypal payment with PDT and that takes me some days to figure out how things works.

Hi Five Man.

Bloke · 2015-03-18 15:10:18

Dragondz wrote #289186:

if i use the date from paypal that cause problem

Glad it works, apart from the dates. My guess is that it’s a simple reformatting issue. PayPal use odd date formats like this in most places:

HH:MM:SS Mmm DD, YYYY PDT

whereas the plugin expects:

YYYY-MM-DD HH:mm:ss

You’ll have to check what exact format PayPal sends you, but it probably just needs an intermediate step to translate their date into a format we can use. You could try passing it through strtotime(), which should return a UNIX timestamp that can be used to reformat the date. Or, perhaps better, is to explicitly tell it the format by doing something like this:

$fromPaypal = date_create_from_format('h:i:s M d, Y e');
$txpDate = $fromPaypal->format('Y-m-d H:i:s');

You shouldn’t need to worry about timezone here: you can use PayPal’s PDT timezone. But you may need a little bit of defensive coding after/around the first line to trap any errors (in case PayPal change their date format one day) and use a default date in that case.

Dragondz · 2015-03-19 09:41:45

Thanks Stef

But using a fixed value dont bother me at all, the value of what is selling (a link to detail page) is 1$ and people accessing the payment page are all registered users.

But thanks to pointing me in the right direction about that, i will investigate the date issue.

Cheers

giampablo · 2015-07-04 18:25:27

Scenario: a sport school has several classes, e.g. trekking, rafting, climbing… At the end of every course, students should receive by email an access key enabling them to download material (pdf, documents…) related to their course.

What I am trying to get is a landing section with restricted access and a field where the user should enter his access key, displaying the list of downloadable files for his class only.

So, entering the access key for trekking you will see just the files with category = trekking. And so on, one key for each class/category.

I do not understand how to generate the access key according to the file category and then displaying those files only, non protected for download (no need for time limit)

Can somebody help me?

Bloke · 2015-07-04 20:49:32

giampablo wrote #292569:

a landing section with restricted access and a field where the user should enter his access key

OK, first off the plugin won’t work like that out of the gate. It can be done that way, but you’d need to put a little more markup and maybe a plugin or two in there (adi_gps or smd_if spring to mind). So let’s explore how the plugin does work without any additional help and see if that can fit your needs. We can expand on this later if necessary.

How many categories are there that you want to protect, btw? If there are hundreds then this might get a bit tedious, but we can automate this process a little with some clever use of the plugin tags.

The manual method is to create download links from the admin side. So go to Extensions->Access keys and click New key. Enter the URL of your category landing page. Since we’re dealing with files, I’ll assume that’s the Txp context you want, and that you intend to handle everything with your default page template since you can then take advantage of clean URLs:

http://example.org/category/file/trekking

Set the Trigger field to something that makes sense to you; it gets added to the key so I’d choose something like course-files. Since you don’t want any restrictions, you’re done so you can hit Add on the far right of the row.

In the green ‘success’ message that appears on the admin side will be a URL. Copy that and save it somewhere: it’s the only time you’ll ever see it! That’s the unique key for that area. You can get complicated and create a system that generates a unique key per student, but let’s keep things simple and have a single shared key for the entire category.

So, your default Page template needs to have this added to it somewhere:

<txp:if_category type="file">
   <txp:smd_access_protect trigger="course-files" force="1">
      <h3><txp:category title="1" /> downloads</h3>
      <txp:file_download_list category='<txp:category />' limit="50" />
   <txp:else />
      <p>No access to this resource, sorry.</p>
   </txp:smd_access_protect>
</txp:if_category>

That’s it. Your page functions as normal, but if anyone tries to visit the file category, the plugin will kick in and refuse access unless the key you copied earlier is used.

You can of course tweak the <txp:file_download_list> tag / Form / Container to your liking.

So all you need to do is figure out a way to distribute that key to whichever students require it. You could stash the keys in a Form on your admin side, each one in a <txp:variable> so you can construct emails using zem_contact_reborn or something to mail out the keys. You can get as sophisticated as you like.

Once your Page template is in place, just repeat the process of creating keys for each category, making a note of each access key that’s generated so you can share it as a link in its entirety.

As I say, if you wanted to make it so you only send out the access key portion, you’d need to build an HTML form inside the smd_access_protect tag’s <txp:else> container. When the MD5 portion of the key (e.g. 1d328eaaf9b8ccc0291656bf69b7eb8b9ce6e1cf/51964192) is pasted in and the submit button pressed, you can use jQuery (or something) to tack it onto the end of the current URL prior to submission, then the page will reveal the access controlled content when that URL is submitted.

If creating access keys by hand is tedious, you can make yourself a dedicated URL, perhaps locked away inside the <txp:else> portion of the above code, with a suitable access control plugin such as rvm_privileged. Then, if you’re logged in on the admin side and visit a public-side URL of something like /category/file/rambling without an access token, you can make it call something like (untested) <txp:smd_access_key trigger="course-files" url='<txp:page_url />' /> and that’ll spit out a key for that category on the screen for you to copy.

You could get even more clever here and build that into part of a zem_contact_reborn HTML form so you could generate a key per student, enter their name and email address, then have it send the key straight to them.

Sky’s the limit. Hope that helps.

ax · 2015-07-06 05:49:11

With my MySQL database, the smd_akeys database table now has 537,224 records, and as size of 88,9 MiB, all according to phpMyAdmin. In order to backup the database more effectively, and to keep multiple copies without wasting too much space, I would like to reduce the size of this database table. Is it possible?

Bloke · 2015-07-06 08:56:33

ax wrote #292615:

the smd_akeys database table now has 537,224 records, and as size of 88,9 MiB

Holy smokes! Are you generating a new access key per request or something?!

Some of the space might be able to be reclaimed by shutting off IP tracking. If you are issuing unique keys for unique, one-off usage, the IP information is of limited use anyway. You could then empty (not delete!) that column.

Regarding the sheer number of rows, well, you could do a few things:

Find all keys that have exceeded or matched their max limit and delete them.
Find all keys that have expired and delete them.

I should probably add some bulk operations to the plugin so these two cases can be catered for more easily, but for now this sort of thing might work:

select * from smd_akeys where accesses > 0 and  accesses >= maximum

That’ll show you the potential records it would delete, so if you’re happy with that, swap the select * for delete and re-run it.

The expiry is trickier since the timestamp is encoded into hexadecimal for storage. You could use CONV to convert the t_hex column to a decimal string and then compare that time to the UNIX_TIMESTAMP of ‘right now minus some offset’, selecting anything that expired a few months ago, for example.

Once you’ve done all that, you can compact the table to reclaim any internal space.

That should shave you several MB off the table size as a starter. And if you hit upon a good MySQL query for the expiry case, please let me know as I’ll see if I can fold it into a tool in the plugin for future. Thanks.

ax · 2015-07-06 09:16:16

Bloke wrote #292622:

Are you generating a new access key per request or something?!

Yes, I think so. The download links have the tokens, and I believe that they are generated every time that the download page is accessed. Thanks for your tips, will try and report back.

giampablo · 2015-07-06 12:59:58

Bloke wrote #292572:

How many categories are there that you want to protect, btw? If there are hundreds …

There are 59 courses (categories) with maybe 5/6 files each to be protected.
So I will follow the manual method and will keep things simple with a single shared key for the entire category.

By the way, I tested one generated key in a local environment and it did not work.
I receive the <p>No access to this resource, sorry.</p> message.
Maybe, should I first localize in Italian your plugin? Maybe it is due to the local MAMP environment? I will make other test and report.
This is the URL used:
http://localhost:8888/nome_sito/categoria/file/trekking...

So all you need to do is figure out a way to distribute that key to whichever students require it. You could stash the keys in a Form on your admin side, each one in a <txp:variable> so you can construct emails using zem_contact_reborn or something to mail out the keys. You can get as sophisticated as you like.

This is very clever. I could never think you could use zem_contact to send out emails with keys. But let’s keep it simple, by now.

As I say, if you wanted to make it so you only send out the access key portion, you’d need to build an HTML form inside the smd_access_protect tag’s <txp:else> container. When the MD5 portion of the key (e.g. 1d328eaaf9b8ccc0291656bf69b7eb8b9ce6e1cf/51964192) is pasted in and the submit button pressed, you can use jQuery (or something) to tack it onto the end of the current URL prior to submission, then the page will reveal the access controlled content when that URL is submitted.

Too hard for me. Not enough clever. lol

Sky’s the limit. Hope that helps.

The sky to me would be a list of folders/files in admin side with a corresponding “Share” button, opening a modal email window to send the key. A la Dropbox, to be clear… One can dream, no?

As usual, thanks a lot, Stef

ax · 2015-07-07 05:12:03

Bloke wrote #292622:

Find all keys that have exceeded or matched their max limit and delete them.

That was successful, but did affected only a minority of rows

Find all keys that have expired and delete them.

I played around with it for a while, but finally I chose to empty the table with truncate, and fortunately the application did not break. I guess that the table should be emptied periodically.

planeth · 2016-11-30 10:53:36

Hey Stef,
I found a weird behavior in your plugin:
I send via email an acces_key link to download a resource. The Email Service provider append a query string to the link. So it looks like:
http://<my website>/file_download/6/<filename>/<access_key_key>/<some_other_access_key_part>?__s=<subscriber.token>
When accessing this url the page says “error 401”.
BUT the page seems to be reloaded(or redirected) and the address bar after 1 or 2 second shows the link stripped from the added query string.
But —again— if you want to have the download dialog you have to reload the page.

Question: is it a behavior of your plugin ? Or from the browser ?
Thanks :)

Bloke · 2016-12-02 10:27:51

planeth wrote #303098:

I found a weird behavior in your plugin

I’ll try and look into this today and see if anything can be done about it.

Textpattern CMS

Textpattern CMS support forum

#61 2015-03-18 14:18:19

Re: smd_access_keys: secure, limited access to content

#62 2015-03-18 15:10:18

Re: smd_access_keys: secure, limited access to content

Dragondz wrote #289186:

#63 2015-03-19 09:41:45

Re: smd_access_keys: secure, limited access to content

#64 2015-07-04 18:25:27

Re: smd_access_keys: secure, limited access to content

#65 2015-07-04 20:49:32

Re: smd_access_keys: secure, limited access to content

giampablo wrote #292569:

#66 2015-07-06 05:49:11

Re: smd_access_keys: secure, limited access to content

#67 2015-07-06 08:56:33

Re: smd_access_keys: secure, limited access to content

ax wrote #292615:

#68 2015-07-06 09:16:16

Re: smd_access_keys: secure, limited access to content

Bloke wrote #292622:

#69 2015-07-06 12:59:58

Re: smd_access_keys: secure, limited access to content

Bloke wrote #292572:

#70 2015-07-07 05:12:03

Re: smd_access_keys: secure, limited access to content

Bloke wrote #292622:

#71 2016-11-30 10:53:36

Re: smd_access_keys: secure, limited access to content

#72 2016-12-02 10:27:51

Re: smd_access_keys: secure, limited access to content

planeth wrote #303098:

Board footer