smd_access_keys: secure, limited access to content

jayrope · 2011-07-25 12:45:04

Hi Stef, same here, am slowed down by having to work on another project. However, i implemented your last suggestions and they did help a lot. Unfortunately i ran into a totally different issue, which mainly has to do with sending out the proper mime-type headers on access-keyed mp3. Will have to analyze that in detail however. It is possible, that jpcache was the originator of the problem. More later. Thank you!

sacripant · 2011-09-20 18:49:25

Hello Steph,
My feedback for smd_access_key 0.11. Better late than never

the requirement

The user must provide documents to some of these clients. 1 or 2 times a year. No more.
The client does not need a login and password to access just a once a year on a site to download some documents.
So I chose the principle of access keys.

For the user

Create a file category with the name of his client.
- This category should be stored as a child of the category “private”.
- He can create as many customer category they want.
Import the files to be transmitted in the category
Generation of the access key only from the back office and transmitted to the client by mail.

To simplify the process for the user, I searched for a solution that is always the same url (url of the category private) and the trigger is the name of the category (ie the client).

url : site_url/category/file/private/
trigger : category name

1st problem: the translation of urls for categories.

In French, the URL is
site_url/catégorie/file_context/fichiers-prives
But this url does not work and returns a 404 error
We must replace the é with %C3%A9
site_url/cat%C3%A9gorie/file_context/fichiers-prives

This is a bit complicated to explain to my client.

The file “lang FR” has been updated a few days ago and now the url is:
site_url/catégorie/fichier/fichiers-prives
This update may cause redirect problems… I should explain that to my client…

2nd problem: the display of errors (smd_access_error)

I think the plug’in was not designed to operate in a loop category.

<txp:category_list type="file" parent='<txp:category />' exclude='<txp:category />' break="" >
	<txp:smd_access_protect expires="172800" trigger='<txp:category />' force="1">
		<txp:file_download_list category='<txp:category />' sort="created desc" limit="999" break="" />
	<txp:else />
		<txp:output_form form="access-keys-errors" />
	</txp:smd_access_protect>
</txp:category_list>

Whatever the trigger used in the url (the first, second, third loop) is always the output_form “access-keys-error” of the first loop will be used.

For the good output_form be used with the good trigger, I had to juggle with variables (it’s understandable? not sur).

My code (certainly crooked but it works)

cat_list:

<txp:category_list type="file" parent='<txp:category />' exclude='<txp:category />' break="" >
	<txp:smd_access_protect expires="172800" trigger='<txp:category />' force="1">
		<h2 class="clear"><txp:category title="1" /></h2>

		<txp:variable name="maximum" value='<txp:smd_access_info item="maximum"/>' />
		<txp:if_variable name="maximum" value="0">
			<txp:variable name="max-value" value="∞"/>
		<txp:else />
			<txp:variable name="max-value" value='<txp:smd_access_info item="maximum"/>' />
		</txp:if_variable>

		<p>Cette clef d'accès expirera le <strong><txp:smd_access_info item="expires" format="%d %m %Y à %H:%M:%S"/></strong> <br />
			Nombre de connection(s) autorisée&nbsp;: <strong><txp:variable name="max-value" /></strong> <br />
			Nombre de connection(s) enregistrées&nbsp;: <strong><txp:smd_access_info item="accesses"/></strong> </p>

		<txp:variable name="style" value="last" />
		<txp:file_download_list category='<txp:category />' sort="created desc" limit="999" break="" />

		<txp:variable name="error" value="yes" />
	<txp:else />
			<txp:output_form form="access-keys-errors" />
	</txp:smd_access_protect>
</txp:category_list>

output_form ‘access-keys-errors’:

<txp:smd_if_access_error type="smd_akey_err_expired, smd_akey_err_limit, smd_akey_err_bad_token, smd_akey_err_missing_timestamp">
	<txp:variable name="keys-error" value="yes" />
<txp:else />
	<txp:variable name="keys-error" value="no" />
</txp:smd_if_access_error>

<txp:if_variable name="keys-error" value="yes">
	<txp:smd_if_access_error>
		<h2 class="clear">Erreur <txp:smd_access_error item="code"/></h2>
		<txp:smd_if_access_error type="smd_akey_err_forbidden">
		   	<h3><txp:smd_access_error item="message" break="br" message="L'accès à cette page est vérouillée."/></h3>
		<txp:else />
		   <txp:smd_if_access_error type="smd_akey_err_expired, smd_akey_err_limit">
		      	<h3><txp:smd_access_error item="message" break="br" message="Votre clef d'accès a soit expiré soit atteind son nombre de connexion maximum"/></h3>
			<txp:else />
				<txp:smd_if_access_error type="smd_akey_err_bad_token, smd_akey_err_missing_timestamp">
			      	<h3><txp:smd_access_error item="message" break="br" message="Votre clef d'accès n'est pas conforme, vous ne pouvez accéder à cette page"/></h3>				
				<txp:else />
					<h3>Une erreur s'est produite pour accéder à cette page</h3>
				</txp:smd_if_access_error>	
		   </txp:smd_if_access_error>
		</txp:smd_if_access_error>
		<p>N'hésitez pas à <a class="go-contact" href="#contact">nous contacter</a> si vous avez un problème pour accéder à vos informations</p>
	</txp:smd_if_access_error>
	<txp:variable name="error" value="yes" />
</txp:if_variable>

mrdale · 2011-09-20 20:43:12

Hi Stef,

Been meaning to ask.

Could this plugin be used to handle gift-certificate or coupon-code style functionality?, ie code, displays content once only, then the content is no longer available to that user?

jakob · 2011-09-20 21:17:12

@Dale, yes it can :-) The access key URL is a long string but you can set either access duration or number of accesses. After that the resource is no longer accessible.

mrdale · 2011-09-21 01:28:51

jakob wrote: …access duration or number of accesses. After that the resource is no longer accessible.

…but not per user/viewer, right?

jakob · 2011-09-21 07:40:57

As far as I understand it (only used it once so far), you can issue many access keys for a single resource, so providing each user is given a unique coupon (access key), you can do that.

If you mean a single coupon code that is given to many people, each of whom can use that same coupon code once, I don’t think that’s possible (but I could be wrong).

Bloke · 2011-09-21 10:16:50

sacripant wrote:

the translation of urls for categories.

Thanks for the detailed feedback: it really helped get straight to the problem.

This issue is actually the reason behind both your issues. I forgot to decode the URL from its percent-encoded state so it never matches the actual URL. If you try the new beta I’ve just uploaded, site.com/catégorie/fichier/private/client1/{token}/{timestamp} URLs should now work fine. Please let me know how you get on and if there are any more oddities.

btw, in doing this fix I also noticed two things:

When creating a new key from the admin side you get a white screen. Fixed
There is no way to generate section_mode URLs from the admin-side. Not fixed (yet).

mrdale

jakob is right: each generated URL token is unique. To implement gift cert(ish) behaviour you can either:

Generate an “open” certificate, perhaps time-limited, and issue it to as many people as you like
Do (1) but limit it to the first ‘N’ people who use it
Generate a single-use certificate on-demand and send one to each person. Once used, game over

Once you smd_access_protect the destination page given in the URL you can validate the token and apply some transform like “price CF – 20%”. The thing to remember is that an access token protects a resource (Txp URL / file) so it’s not a true coupon code like “MRDALE-MEGACODE-10293847” that you can pass around and use in some other form.

FYI, option 3 can be generated in the Thanks Form of a zcr after you’ve nefariously ferreted away someone’s personal details, or after a successful PayPal transaction via the as-yet unreleased smd_ipn plugin.

Last edited by Bloke (2011-09-21 10:18:41)

mrdale · 2011-09-21 14:44:04

Hrm… very interesting… must cogitate.

Theoretically, all it would need to track per-user use is a field that would collect user IDs and a way of concatenating a user ID# to that field on access…

curiouser and curiouser.

This is a ingenious little plugin. You’re a right clever limey, encha?

Bloke · 2011-09-21 15:01:04

mrdale wrote:

Theoretically, all it would need to track per-user use is a field that would collect user IDs and a way of concatenating a user ID# to that field on access…

Check out the extra attribute then, and see example 3 in the help. You can pack arbitrary content into the key itself and then extract it on access.

husainhk · 2011-09-25 11:29:44

Hey all, anybody made this work with zem_contact_reborn? I haven’t started playing with the plugin yet, but would like to know if any special set up is required.

I am aiming for the user to provide a name and an email address, before allowing access to a page, which will be available as a redirect after the form is submitted.

Many thanks!

Textpattern CMS

Textpattern CMS support forum

#21 2011-07-25 12:45:04

Re: smd_access_keys: secure, limited access to content

#22 2011-09-20 18:49:25

Re: smd_access_keys: secure, limited access to content

the requirement

For the user

1st problem: the translation of urls for categories.

2nd problem: the display of errors (smd_access_error)

My code (certainly crooked but it works)

#23 2011-09-20 20:43:12

Re: smd_access_keys: secure, limited access to content

#24 2011-09-20 21:17:12

Re: smd_access_keys: secure, limited access to content

#25 2011-09-21 01:28:51

Re: smd_access_keys: secure, limited access to content

#26 2011-09-21 07:40:57

Re: smd_access_keys: secure, limited access to content

#27 2011-09-21 10:16:50

Re: smd_access_keys: secure, limited access to content

#28 2011-09-21 14:44:04

Re: smd_access_keys: secure, limited access to content

#29 2011-09-21 15:01:04

Re: smd_access_keys: secure, limited access to content

#30 2011-09-25 11:29:44

Re: smd_access_keys: secure, limited access to content

Board footer