smd_access_keys: secure, limited access to content

uli · 2017-10-25 12:31:19

Thanks for the detailed reflections, Stef. I had such a gut feeling about these plans. And the more complicated such a mechanism is, the more complicated is making it waterproof and testing all cases. Not suited for the current budget.

giampablo · 2018-01-31 18:22:37

Hi Stef,

Can you make smd_access_keys 4.7 compatible?
I started developing a site with 4.7-dev before finding out your plugin is needed…
Thanks a lot

P.S. Out of topic, 4.7-dev is actually very stable, as far as I can tell

Bloke · 2018-01-31 18:52:18

Does this beta not work? Must admit I’ve not tried it. Depending on your PHP version (e.g. 7+), you might get an error about mysql functions being removed. If so, the commit after the release I linked to fixes that.

If the plugin on the whole works okay, then I can roll out another beta with that fix in it. But if it’s totally broken on 4.7.0 then let me know what (specifically) isn’t working and I’ll get it sorted.

giampablo · 2018-02-01 10:20:21

Thank you. The beta seems ok (not throwing errors now, as with version 0.11 previously used).
But, on local environment, the generated key is not working.
Maybe it’s my fault, or the URL page in Italian, or MAMP environment is the problem. I will investigate and let you know. I used:
http:localhost:8888/my_site_name/categoria/file/category_name/my_trigger/55b11.......

and this is Italian text pack:

#@smd_akey
#@language it
smd_akey => Chiavi di accesso
smd_akey_accesses => Tentativi di accesso
smd_akey_btn_new => Nuova chiave
smd_akey_btn_pref => Preferenze
smd_akey_deleted => Chiavi eliminate: {deleted}
smd_akey_err_bad_token => Chiavi mancanti o deteriorate
smd_akey_err_expired => Accesso scaduto
smd_akey_err_forbidden => Accesso vietato
smd_akey_err_invalid_token => Chiave di accesso non valida
smd_akey_err_limit => Limite di accesso raggiunto
smd_akey_err_missing_timestamp => Timestamp mancante
smd_akey_err_unauthorized => Accesso non autorizzato
smd_akey_err_unavailable => Non disponibile
smd_akey_file_download_expires => Scadenza File download (in secondi)
smd_akey_generated => Chiave di accesso: {key}
smd_akey_log_ip => Registro indirizzi IP
smd_akey_max => Massimo
smd_akey_need_page => Devi inserire un URL di pagina
smd_akey_page => Pagina
smd_akey_prefs_saved => Preferenze salvate
smd_akey_prefs_some_explain => Questa è o una nuova installazione o una versione<br />del plugin diversa da quella che avevi prima.
smd_akey_prefs_some_opts => Clicca “Installa tabella” per aggiungere o aggiornare la tabella<br />lasciando intatti tutti i dati esistenti.
smd_akey_prefs_some_tbl => Info tabella non tutte disponibili.
smd_akey_pref_legend => Preferenze chiavi di accesso
smd_akey_salt_length => lunghezza salt (in caratteri)
smd_akey_tab_name => Chiavi di accesso
smd_akey_tbl_installed => Tabella installata
smd_akey_tbl_install_lbl => Installazione tabella
smd_akey_tbl_not_installed => Tabella non installata
smd_akey_tbl_not_removed => Tabella non rimossa
smd_akey_tbl_removed => Tabella rimossa
smd_akey_time => Emessa
smd_akey_trigger => Trigger

Bloke · 2018-02-01 10:30:52

Thanks for the Italian pack, I’ve added it to the plugin code.

The fact you’re using a different language shouldn’t affect the plugin – it’s just a URL – and localhost should work too (for the same reason). But I’ve not really given the plugin a grilling in either case. Any info you can supply on the results would be most helpful, thank you.

Destry · 2018-03-01 11:31:56

Rediscovering the fact this plugin existed. Bloke’s menagerie is a half-buried treasure chest. Or half revealed by the tides, maybe. I shall be rich from this one!¹ Or tarred and feathered. Will look forward to the non-beta, which is when I’ll be ready for it anyway.

***

^a “One does not simply walk in and get rich.” — Boromir

giampablo · 2018-04-13 15:01:55

Hi Stef,

With 4.7.0 beta 3 the generated key does not work, yet:

<txp:if_category type="file">
   <txp:smd_access_protect trigger="course-files" force="1">
      <h3><txp:category title="1" /> downloads</h3>
      <txp:file_download_list category='<txp:category />' limit="50" />
   <txp:else />
      <p>No access to this resource, sorry.</p>
   </txp:smd_access_protect>
</txp:if_category>

this is the key:
http://localhost/test-4.7.0beta3/categoria/file/trekking/course-files/fa64921165b4181278ef24af5eb31ae11dc8ad2a/5ad0b886

Changing prefs with lower salt length or different trigger, I always get the <txp:else /> part (No access to this resource).

Sorry for not giving you further details, the plugin does not seem broken (other than minor visual css).

Can you test smd_access_key ver 0.20 beta, please ?
Thank you

Last edited by giampablo (2018-04-13 15:04:13)

giampablo · 2018-04-16 14:03:18

Just for completeness, in debug mode this is the error notice:

Tag error: <txp:smd_access_protect trigger="a" force="1">
      <h3><txp:category title="1" /> downloads</h3>
      <txp:file_download_list category='<txp:category />' limit="50" />
  <txp:else />
      <p>No access to this resource, sorry.</p>
   </txp:smd_access_protect> ->  Textpattern Notice: tag is not registered while parsing form Nessuno on page default

Thanks for your support

jakob · 2018-04-16 19:01:14

giampablo wrote #311068:

Textpattern Notice: tag is not registered while parsing form …

That’s just a notice and shouldn’t actually affect how the plugin works. A registry of permitted tags was introduced a while back and it’s just letting you know that it’s not there.

Insert the following into the plugin code at about this line (i.e. just before the functions for plugin tags)

if (class_exists('\Textpattern\Tag\Registry')) {
        Txp::get('\Textpattern\Tag\Registry')
            ->register('smd_access_key')
            ->register('smd_if_access_error')
            ->register('smd_access_error')
            ->register('smd_access_info')
            ->register('smd_access_protect')
            ;
}

That should resolve that error, but I’m not sure that it will help with your other problem.

giampablo · 2018-04-17 12:57:47

Thanks Jacob,
unfortunately the problem is elsewhere.
I am eagerly waiting for Stef, to give the plugin a grilling under the current textpattern 4.7.0 beta, since the generated key is not working anymore with last beta version of smd_access_key.

Surely he will find a fix.

Bloke · 2018-04-17 13:58:22

Sorry for the delay. Not sure what the fix is exactly, as it depends how you protect the resources. You cannot, for example, protect access to an entire category. Each one needs to be defined. In your case, you can either do it this way:

Set up a File category called course-files
Assign all your course files to that category
Set up an access key to https://example.org/category/file/ with trigger course-files

OR

Assign all your course files to the various categories, trekking, hiking, snowboarding, …
Set up an access key to https://example.org/category/file/ with trigger trekking
Set up an access key to https://example.org/category/file/ with trigger hiking
Set up an access key to https://example.org/category/file/ with trigger snowboarding
…

Either way, you protect the resources with:

<txp:if_category type="file">
   <txp:smd_access_protect trigger="trigger, list, here">
      <h3><txp:category title="1" /> downloads</h3>
      <txp:file_download_list category='<txp:category />' limit="50" />
   <txp:else />
      <p>No access to this resource, sorry.</p>
   </txp:smd_access_protect>
</txp:if_category>

In the first instance your trigger list would just be course-files. In the second case, you would use trigger=trekking, hiking, snowboarding".

Note that I’ve taken off the force attribute since that allows you to access other file categories that are not protected as usual. If you use force="1", you will forbid ALL listings being shown from any file category, and only allow access to the ones if a valid token is given. If that’s what you want, then put the force back in.

You may like to experiment with section_mode="1" as well, but I’m not sure it will help you in this case. Although you may be able to forbid access to /category and then use the conditional inside that to only trigger access key checks for category type“file”. Not sure if it’ll work.

Most importantly, remember that the file downloads themselves are not protected in the above scenario. You can still go to example.org/file_download/1 and download the file – you don’t even need the file name! There are strategies for combatting this, mentioned in the plugin docs, but it might not work well with your implemetation above, as the keys for the files will be differerent to the keys for the listings.

Bottom line is that you still need to create a key per file (and potentially per category) you wish to protect, which is not optimal in this case. When I get round to fixing this plugin’s admin side for 4.7.x I might see if it’s possible to rethink it slightly to be more applicable to protect groups of assets with a single key.

giampablo · 2018-04-17 17:00:27

Hi Bloke,
I experimented in a fresh local (MAMP) textpattern 4.7.0 beta 3 install, doing exactly what you suggested.

Assign all my course files to the various categories, trekking, hiking, snowboarding, …
Set up an access key to http://localhost/categoria/file/ with trigger trekking
Set up an access key to http://localhost/categoria/file/ with trigger hiking
Set up an access key to http://localhost/categoria/file/ with trigger snowboarding

then in home page

<txp:if_category type="file">
   <txp:smd_access_protect trigger="trekking,hiking,snowboard" force="0">
      <h3><txp:category title="1" /> downloads</h3>
      <txp:file_download_list category='<txp:category />' limit="50" />
   <txp:else />
      <txp:smd_if_access_error>
      <txp:smd_access_error item="code, message"
          break="br" />
   </txp:smd_if_access_error>
   </txp:smd_access_protect>
</txp:if_category>

With the first and second access key I get error: 403 missing or mangled access key
The third access key works!!!! But, removing from the URL the secret/salt part (i.e. http://localhost:8888/txp4.7.0/categoria/file/snowboarding/) it works, too (no protection). And changing to force=“1” I have: 401 Forbidden Access.

Clearly, there is some corruption in the access key generation.
You should try by yourself.
Hope it helps

giampablo · 2018-04-17 17:22:49

Ooops, I just found out that I used <txp:smd_access_protect trigger="trekking,hiking,snowboard" instead of snowboarding.
My bad.
Now, after correcting the trigger, with the third access key the error is again 403, missing or mangled key, no matter if force is 0 or 1.

Sorry for confusion…

Bloke · 2018-04-17 17:32:46

Darn, I swear it was working when I tried it. Sorry for the hassle.

I’ll check it out later today. I have to fix the admin side anyway, and there’s some weird array-to-string conversion issue I need to fix as well as do the tag registration.

jayrope · 2018-04-27 13:26:18

Stef,

can i use smd_access_keys to establish a double login scheme, ergo someone logging in needs to confirm with a code sent in an email, before being admitted to log into the backend?

Textpattern CMS

Textpattern CMS support forum

#91 2017-10-25 12:31:19

Re: smd_access_keys: secure, limited access to content

#92 2018-01-31 18:22:37

Re: smd_access_keys: secure, limited access to content

#93 2018-01-31 18:52:18

Re: smd_access_keys: secure, limited access to content

#94 2018-02-01 10:20:21

Re: smd_access_keys: secure, limited access to content

#95 2018-02-01 10:30:52

Re: smd_access_keys: secure, limited access to content

#96 2018-03-01 11:31:56

Re: smd_access_keys: secure, limited access to content

#97 2018-04-13 15:01:55

Re: smd_access_keys: secure, limited access to content

#98 2018-04-16 14:03:18

Re: smd_access_keys: secure, limited access to content

#99 2018-04-16 19:01:14

Re: smd_access_keys: secure, limited access to content

giampablo wrote #311068:

#100 2018-04-17 12:57:47

Re: smd_access_keys: secure, limited access to content

#101 2018-04-17 13:58:22

Re: smd_access_keys: secure, limited access to content

#102 2018-04-17 17:00:27

Re: smd_access_keys: secure, limited access to content

#103 2018-04-17 17:22:49

Re: smd_access_keys: secure, limited access to content

#104 2018-04-17 17:32:46

Re: smd_access_keys: secure, limited access to content

#105 2018-04-27 13:26:18

Re: smd_access_keys: secure, limited access to content

Board footer