Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: smd_access_keys: secure, limited access to content
Hi again and thanks to both of you! @uli you made my day!
It worked like this: <a href="<txp:smd_access_key url='/file_download/<txp:custom_field name="doc" />' />">Download</a>.
Offline
Re: smd_access_keys: secure, limited access to content
I wonder if it is possible to protect an image like smd_access_key protect files. So people can see thumbnails but not full articles images.
Offline
Re: smd_access_keys: secure, limited access to content
v0.11 has finally landed. Features:
- Added
expiresto<txp:smd_access_key>tag so you can choose to have the key itself expire instead of just the resource endpoint - Added
section_modeattribute (thanks sacripant) - Plays nicely with gbp_permanent_links (thanks jakob)
- Fixed no-criteria output
- Fixed subdir URL error (thanks sacripant)
- Fixed URL decoding (thanks sacripant)
I’ll look into the other things on the todo list when I get a chance and I’ve worked out where the gaps are between this and smd_remote_file, which is currently re-undergoing development.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: smd_access_keys: secure, limited access to content
Hi Stef,
I like how smd_access_keys verifies that a requested filename is correct before allowing the file to download:
Note that TXP normally allows you to type anything after the /id/ as a filename and still retrieve the file; smd_access_key will not: the filename must match exactly
Is it possible for me to make this the default behaviour so that it works even when a key isn’t generated? Or could it be made into another standalone plugin? I think this adds a little more security than allowing files to be downloaded by ID alone.
Thanks again.
Offline
Re: smd_access_keys: secure, limited access to content
hidalgo wrote:
Is it possible for me to make this the default behaviour so that it works even when a key isn’t generated?
Sorry, not without a plugin (which is fairly simple to write or steal from the smd_access_keys code) or a core change.
Not sure why the filename is ignored by the core. There must have been a deep-seated reason for it in the dim and distant past.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: smd_access_keys: secure, limited access to content
There ‘s possibility to store access_key in a variable and than use smd_if to check it?
The access should be open in whole site.
Is this way practicable?
Offline
Re: smd_access_keys: secure, limited access to content
Hi
Is it possible sometimes to protect an item with a password?
How do I do that then? Can someone please show me the code?
Excuse for such an extensive plugin I do not always look through
Offline
Re: smd_access_keys: secure, limited access to content
Hey Stef ;)
I didn’t study your plugin yet. But, here is my question:
On a website where books are sold (yab_shop integration) and eBooks too (custom PHP script), I project to apply coupon codes for a limited time by grabbing some attributes from the Urls. Do you think your plugin can help, and how ?
Thanks by advance for your response.
(I just thinking I omitted to send you my Christmas gift, I’m going to correct it, mate ;)
Edit: problem solved with my custom script.
Last edited by Pat64 (2012-12-18 17:27:13)
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: smd_access_keys: secure, limited access to content
To copy and paste a key generated by smd_access_keys in TXP itself, there seems to be just a single moment to do this…
smd_access_keys version 0.11 is accessed in TXP 4.5.4 under Extensions > Access keys (So far, so good)
I enter the ‘page’ [http://www.mysite/stuff] and the ‘trigger’ [things], to protect a part of a page at http://www.mysite/stuff/things which has the tags wrapped round like this:
<txp:smd_access_protect trigger="things" force="1">
<p>Protected content on the page called 'Things'<p>
</txp:smd_access_protect>
The only time the key appears is when I click on ‘Add’; I can’t ever access this key again once it’s been created
(Sorry there’s such a long preamble) Two questions:
- Is this right?
- Should I generate a key for sending by email differently?
Many thanks :-)
Also having a problem the key stopping working, as though it’s expired, but one thing at a time…
Offline
Re: smd_access_keys: secure, limited access to content
gavnosis wrote:
The only time the key appears is when I click on ‘Add’; I can’t ever access this key again once it’s been created. Is this right?
It’s right insofar as that’s how the plugin works, yes. But whether it’s right — as in useful functionality — well, that’s debatable. But for security reasons, that’s the way it works.
Creating keys from the admin side is usually a one-off deal in response to someone asking “I can’t get to such-and-such resource ‘cos my token’s expired/broken/whatever” so you create them a new one on the fly and mail it out. Thus you only ever need to see it once. The fact it’s in the transient popup message is a little bit annoying, but hopefully in Txp 4.6 with jQuery UI now available I’ll be able make this a bit more sexy in a dialog or something. That should allow you to pop it up again as long as you haven’t refreshed the page in the meantime.
Should I generate a key for sending by email differently?
You could let people create tokens themselves from the public side using the plugin’s tags. I think there’s an example in the docs. But even doing that, there’s no record kept of the actual token itself aside from the one time it’s printed on the screen because you normally don’t want any long term record of the keys anywhere. The exception is if you want them to be that way, i.e. publish them for logged-in-users to see or email them out to people in response to a paid-for service, etc. But the key itself is never stored anywhere; only the mechanism to recreate the conditions of its generation are noted so when a resource is requested the token can be validated.
The general idea is that if you want a persistent token you either create a long expiry or allow unlimited use of it, then you can mail it out to as many folk as you like and everyone can use it. Or you make them limited in functionality; in which case your page logic (tags) generate tokens and send them out in response to user actions. As mentioned above, the admin side key generation was conceived only as a fallback in case you ever need it.
Also having a problem the key stopping working, as though it’s expired, but one thing at a time…
OK, if you let me know the tags you’re using on the page, what you are trying to achieve and (if relevant) how your access key prefs are set up, I’ll see what I can do to help.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: smd_access_keys: secure, limited access to content
Thank you Stef, my plan was actually to have a series of unique keys to unique photo galleries – so, whilst sending a key is a bit clunky, it’s probably right in this instance: a person has access to their own photo galleries and only their own (There’s a really neat plugin called smd_gallery I’ve been using)… so I don’t think people generating their own token is appropriate.
As to the other bit where the the token seems to expire, I’ll run through the series of steps I’m doing and post my recipe in a bit. (I’m hoping it’s just some simple error I’m making)
Thank you!
Offline
Re: smd_access_keys: secure, limited access to content
Hola, Stef!
Don’t worry, this is just a report:
When I attempt to install smd_access_keys on my development server, I get a popup right after the confirmation step:
Internal error “BLOB/TEXT column ‘ip’ can’t have a default value”.
Then the page loads with the following message, no Textpattern interface:
I’m sorry. I’m afraid I can’t do that;
plugin plugin_installis an unsafe operation.
I tried installing it with ied_plugin_composer, and it works if I disable “Perform post-install actions”, but then I get no database table, and the plugin doesn’t work.
I got it installed successfully on another server—I will try exporting the required database schema and importing that into my local place. I’ll write back if that doesn’t work. Update: It worked.
This problem appears to be isolated to smd_access_keys.
Some of the diagnostic info:
Textpattern version: 4.5.7 (r5900)
Last update: 2014-09-26 17:57:14/2014-09-26 17:50:52
Permanent link mode: section_title
Temporary directory path: /tmp
Site URL: dev.universalistfriends.org
PHP version: 5.6.4
GD Graphics Library: bundled (2.1.0 compatible); supported formats: GIF, JPG, PNG.
Server TZ: Europe/Zurich
Server local time: 2015-03-12 20:21:26
DST enabled?: 1
Automatically adjust DST setting?: 1
Time zone: America/New_York (-18000)
MySQL: 5.6.21
Locale: en_US.UTF-8
Server: Apache/2.4.9 (Unix) PHP/5.6.4
Apache version: Apache/2.4.9 (Unix) PHP/5.6.4
PHP server API: apache2handler
RFC 2616 headers:
Server OS: Darwin 14.1.0
Active plugins: rah_output_section_form-0.5, smd_each-0.2, adi_calc-1.1, zem_contact_lang-4.0.3.6, zem_contact_reborn-4.0.3.20, adi_gps-0.2, rah_repeat-1.0.1, smd_short_url-0.21, aam_typogrify-0.1, rvm_privileged-0.4, rvm_substr-0.3, czg_if_comment_cookies-0.1, wet_if_status-0.2, rah_metas-1.5, rvm_mail_comments-0.1m, smd_random_text-0.14, pat_speeder-0.5, cnk_versioning-0.1.7 bm, upm_textile-0.3, pax_grep-0.2, soo_page_numbers-0.3.1, tru_tags-3.7, smd_macro-0.20, wet_babble-0.2m, jnm_comments_reply-0.3, aks_cache-0.2.8, rah_sitemap-1.2, jbx_multiple_image_upload-0.5.3, soo_txp_obj-1.1.1, wet_haystack-0.6, smd_faux_role-0.20m, bot_write_tab_customize-0.7.2, bot_cf_titles-0.3m, rah_status_dropdown-0.5, smd_image_selector-0.10, rah_wrach-0.3, smd_where_used-0.30, rah_section_titles-0.7, smd_bio-0.40, glz_custom_fields-1.4.0-beta, smd_featured-0.50, smd_user_manager-0.21, arc_meta-1.3.0, ied_plugin_composer-1.06
Admin-side theme: hive 4.5.7
I hope this helps!
Last edited by johnstephens (2015-03-12 19:53:18)
Offline