Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: smd_access_keys: secure, limited access to content
Hi Stef,
With 4.7.0 beta 3 the generated key does not work, yet:
<txp:if_category type="file">
<txp:smd_access_protect trigger="course-files" force="1">
<h3><txp:category title="1" /> downloads</h3>
<txp:file_download_list category='<txp:category />' limit="50" />
<txp:else />
<p>No access to this resource, sorry.</p>
</txp:smd_access_protect>
</txp:if_category>
this is the key:
http://localhost/test-4.7.0beta3/categoria/file/trekking/course-files/fa64921165b4181278ef24af5eb31ae11dc8ad2a/5ad0b886
Changing prefs with lower salt length or different trigger, I always get the <txp:else /> part (No access to this resource).
Sorry for not giving you further details, the plugin does not seem broken (other than minor visual css).
Can you test smd_access_key ver 0.20 beta, please ?
Thank you
Last edited by giampablo (2018-04-13 15:04:13)
Offline
Re: smd_access_keys: secure, limited access to content
Just for completeness, in debug mode this is the error notice:
Tag error: <txp:smd_access_protect trigger="a" force="1">
<h3><txp:category title="1" /> downloads</h3>
<txp:file_download_list category='<txp:category />' limit="50" />
<txp:else />
<p>No access to this resource, sorry.</p>
</txp:smd_access_protect> -> Textpattern Notice: tag is not registered while parsing form Nessuno on page default
Thanks for your support
Offline
Re: smd_access_keys: secure, limited access to content
giampablo wrote #311068:
Textpattern Notice: tag is not registered while parsing form …
That’s just a notice and shouldn’t actually affect how the plugin works. A registry of permitted tags was introduced a while back and it’s just letting you know that it’s not there.
Insert the following into the plugin code at about this line (i.e. just before the functions for plugin tags)
if (class_exists('\Textpattern\Tag\Registry')) {
Txp::get('\Textpattern\Tag\Registry')
->register('smd_access_key')
->register('smd_if_access_error')
->register('smd_access_error')
->register('smd_access_info')
->register('smd_access_protect')
;
}
That should resolve that error, but I’m not sure that it will help with your other problem.
TXP Builders – finely-crafted code, design and txp
Offline
#100 2018-04-17 12:57:47
Re: smd_access_keys: secure, limited access to content
Thanks Jacob,
unfortunately the problem is elsewhere.
I am eagerly waiting for Stef, to give the plugin a grilling under the current textpattern 4.7.0 beta, since the generated key is not working anymore with last beta version of smd_access_key.
Surely he will find a fix.
Offline
#101 2018-04-17 13:58:22
Re: smd_access_keys: secure, limited access to content
Sorry for the delay. Not sure what the fix is exactly, as it depends how you protect the resources. You cannot, for example, protect access to an entire category. Each one needs to be defined. In your case, you can either do it this way:
- Set up a File category called
course-files
- Assign all your course files to that category
- Set up an access key to
https://example.org/category/file/
with triggercourse-files
OR
- Assign all your course files to the various categories,
trekking
,hiking
,snowboarding
, … - Set up an access key to
https://example.org/category/file/
with triggertrekking
- Set up an access key to
https://example.org/category/file/
with triggerhiking
- Set up an access key to
https://example.org/category/file/
with triggersnowboarding
- …
Either way, you protect the resources with:
<txp:if_category type="file">
<txp:smd_access_protect trigger="trigger, list, here">
<h3><txp:category title="1" /> downloads</h3>
<txp:file_download_list category='<txp:category />' limit="50" />
<txp:else />
<p>No access to this resource, sorry.</p>
</txp:smd_access_protect>
</txp:if_category>
In the first instance your trigger list would just be course-files
. In the second case, you would use trigger=trekking, hiking, snowboarding"
.
Note that I’ve taken off the force
attribute since that allows you to access other file categories that are not protected as usual. If you use force="1"
, you will forbid ALL listings being shown from any file category, and only allow access to the ones if a valid token is given. If that’s what you want, then put the force
back in.
You may like to experiment with section_mode="1"
as well, but I’m not sure it will help you in this case. Although you may be able to forbid access to /category
and then use the conditional inside that to only trigger access key checks for category type“file”. Not sure if it’ll work.
Most importantly, remember that the file downloads themselves are not protected in the above scenario. You can still go to example.org/file_download/1
and download the file – you don’t even need the file name! There are strategies for combatting this, mentioned in the plugin docs, but it might not work well with your implemetation above, as the keys for the files will be differerent to the keys for the listings.
Bottom line is that you still need to create a key per file (and potentially per category) you wish to protect, which is not optimal in this case. When I get round to fixing this plugin’s admin side for 4.7.x I might see if it’s possible to rethink it slightly to be more applicable to protect groups of assets with a single key.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#102 2018-04-17 17:00:27
Re: smd_access_keys: secure, limited access to content
Hi Bloke,
I experimented in a fresh local (MAMP) textpattern 4.7.0 beta 3 install, doing exactly what you suggested.
Assign all my course files to the various categories, trekking, hiking, snowboarding, …
Set up an access key to http://localhost/categoria/file/ with trigger trekking
Set up an access key to http://localhost/categoria/file/ with trigger hiking
Set up an access key to http://localhost/categoria/file/ with trigger snowboarding
then in home page
<txp:if_category type="file">
<txp:smd_access_protect trigger="trekking,hiking,snowboard" force="0">
<h3><txp:category title="1" /> downloads</h3>
<txp:file_download_list category='<txp:category />' limit="50" />
<txp:else />
<txp:smd_if_access_error>
<txp:smd_access_error item="code, message"
break="br" />
</txp:smd_if_access_error>
</txp:smd_access_protect>
</txp:if_category>
With the first and second access key I get error: 403 missing or mangled access key
The third access key works!!!! But, removing from the URL the secret/salt part (i.e. http://localhost:8888/txp4.7.0/categoria/file/snowboarding/) it works, too (no protection). And changing to force=“1” I have: 401 Forbidden Access.
Clearly, there is some corruption in the access key generation.
You should try by yourself.
Hope it helps
Offline
#103 2018-04-17 17:22:49
Re: smd_access_keys: secure, limited access to content
Ooops, I just found out that I used <txp:smd_access_protect trigger="trekking,hiking,snowboard"
instead of snowboarding.
My bad.
Now, after correcting the trigger, with the third access key the error is again 403, missing or mangled key, no matter if force is 0 or 1.
Sorry for confusion…
Offline
#104 2018-04-17 17:32:46
Re: smd_access_keys: secure, limited access to content
Darn, I swear it was working when I tried it. Sorry for the hassle.
I’ll check it out later today. I have to fix the admin side anyway, and there’s some weird array-to-string conversion issue I need to fix as well as do the tag registration.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#105 2018-04-27 13:26:18
Re: smd_access_keys: secure, limited access to content
Stef,
can i use smd_access_keys to establish a double login scheme, ergo someone logging in needs to confirm with a code sent in an email, before being admitted to log into the backend?
A hole turned upside down is a dome, when there’s also gravity.
Offline
#106 2018-04-27 13:39:52
Re: smd_access_keys: secure, limited access to content
jayrope wrote #311479:
can i use smd_access_keys to establish a double login scheme, ergo someone logging in needs to confirm with a code sent in an email, before being admitted to log into the backend?
You can’t restrict admin-side login attempts out of the box because Txp doesn’t run plugins there.
But if you did your own public login scheme, then yes you could make the landing page after login protected by the plugin. Have it generate an email with an access key to somewhere, and display a message: “To see this content, please check your email and click the link”.
How you would bypass this on second login, I don’t know exactly, besides setting a cookie.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#107 2018-04-27 14:01:59
Re: smd_access_keys: secure, limited access to content
Hi Stef,
any news about fixing the plugin?
Sorry to bother you, but my client is pushing…
Rgds
Offline
#108 2018-04-27 14:08:11
Re: smd_access_keys: secure, limited access to content
giampablo wrote #311481:
any news about fixing the plugin?
I made plenty of fixes on the GitHub repo. You’re welcome to try that code as it’s been working okay for me. I’m just doing some more tests before packaging an official release.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline