[MOD-DB] Page Permissions 1.2.1

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Locked
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

[MOD-DB] Page Permissions 1.2.1

Post by drathbun »

Released! :-D

http://www.phpbb.com/phpBB/viewtopic.php?t=503164

Topic closed, please direct any questions and/or comments to the release topic, thanks to everyone that tested and made your inputs, as it made this MOD that much better in the long run.


Edit - Changed status to [RC7]

Download link removed, please use the release topic, thanks.

**************************
Edit January 17, 2007
Presenting the "Isn't this thing approved yet?" version of Page Permissions. Version 1.2.1 has a couple of minor updates (one for XHTML compliance and one to ensure the admin menu entry is actually a language string), an optional SQL update (provide a NOT NULL attribute on a primary key) and a major security fix. I encourage you to update right away (the udpate from 1.2.0 involves simply copying 4 files and you're done) otherwise your protected content is at risk.

The security update involves a very simple but important change to the main page permissions code found in includes/page_permissions.php. Please download and overwrite your file ASAP. If you are not on the most current version there are instructions in the /contrib folder to help you get to the 1.2.1 version. If you do not want to apply all of those changes you MUST make at least this change:

Code: Select all

open includes/page_permissions.php
find PHP_SELF
replace with SCRIPT_NAME
The final line of code looks like this when you're done:

Code: Select all

$current_page_parts = pathinfo($HTTP_SERVER_VARS['SCRIPT_NAME']);
There are security issues with PHP_SELF that are fixed by replacing it with SCRIPT_NAME. Again, I urge anyone that has installed this code to make this update ASAP.

Thanks to the MOD Team for catching this and helping me to validate the solution.

**************************
Edit December 1, 2006
Presenting the "Just One More Feature" edition of Page Permissions 8)
It occurred to me tonight that by adding a new table to your database I should also do you the favor of including that table in the standard phpBB backup script. So there is a slight change to the installation routine for version 1.2.0 that will include the "phpbb_pages" table automatically with the standard backup routine.

An update from 1.1.0 is included in the /contrib folder of the download.

**************************
Edit November 30, 2006
Presenting the "Hope 2B Approved" edition of Page Permissions 8)

The version number did not change for this update as there are no code changes. I simply reformatted the MOD Install text file and resubmitted it to the MOD Team for validation. Hopefully my next post in this topic will be a link to the release topic.

**************************
Edit October 30, 2006
Presenting the "Almost a Pumpkin" edition of Page Permissions :lol:

Changed in this release
  • Fixed bug where the wrong cache file name was used
  • Changed author notes to reflect proper way to protect the cache file if using eXtreme Styles MOD
  • Added a custom disable message that can optionally be used to provide more detail about why a specific page is disabled
  • Update notes are included from version 1.0.x to 1.1.0, and include one SQL command plus overwriting all existing files provided by this MOD
There should not be any security issues with this release, so if you don't want to upgrade (if you're happy with the code you're using now) then the only fix you need to apply is

Code: Select all

OPEN includes/page_permissions.php
FIND cache_pages
REPLACE WITH cache_page_permissions
That will fix the bug present in 1.0.2.

**************************
Edit September 25, 2006
Updated title, changed status to RC3
Download package includes 1.0.2 code and install file. If you are using 1.0.0 or 1.0.1 there are update instructions in the /contrib folder. Versions prior to 1.0.0 are no longer supported. There were a couple of bugs identified, one introduced in 1.0.1 and one present for quite a while, both were fixed. Changes in this version include bug fixes and a reworked cache system, as detailed here:
  • Fixed bug that caused private pages with more than one group associated with them to report "access denied" message
  • Fixed bug where users in "pending" status for group membership still got access to group pages
  • Removed some extra code
  • Reworked cache system to make it more flexible and compatible with other phpBBDoctor MODs as follows:
    • Renamed cache/cache_pages.php to cache/cache_page_permissions.php for consistency
    • used $phpEx whenever possible
    • Removed admin/phpbbdoctor_cache_functions.php
    • Replaced with includes/functions_phpbbdoctor_cache.php
    • Added an "include" in common.php to include caching functions
  • Removed the admin language entries from lang_admin.php and created a stand-alone language file to make updates easier
**************************

Edit September 17, 2006
Updated title, changed status to RC2
Download package includes only the current 1.0.1 release only, prior versions are no longer available or supported.

The author notes have been updated to include answers to common questions from this topic.

Current users of this MOD simply overwrite includes/page_permissions.php and admin/admin_page_permissions.php with the new files included in this download and add one language string to language/lang_english/lang_admin.php as shown here:

Code: Select all

$lang['Click_return_page_admin'] = 'Click %sHere%s to return to Page Permissions Admin';
There is no additional functionality provided by this update, and hopefully no loss of functionality either. :-P The only changes are to the author notes, a few extra validation steps, and changing some form controls to be fully XHTML compliant (use checked="checked" or selected="selected" instead of simply "checked" or "selected" as before).

This MOD has been resubmitted to the MOD-DB after corrections were applied that should fix the reasons for the prior rejection.

Edit March 31, 2006
Updated title, changed status to Release Candidate (RC)
One minor change in the code
Download package includes the update instructions from 0.7.0 all the way up to 1.0.0
Versions prior to 1.0.0 will not be debugged / supported from this point forward.

Notes below are preserved for historical purposes only, and will not be maintained any further.

*** Begin 0.8.4 Notes *** (Mar 6, 2006)
Rewrite cache after mass enable / disable feature is used
*** End 0.8.4 Notes ***

*** Begin 0.8.2 Notes *** (Mar 5, 2006)
Added more language entries, hopefully have them all now :-)
Added ability to mass update enable / disable pages on main list
*** End 0.8.2 Notes *** (Mar 5, 2006)

*** Begin 0.8.0 Notes *** (Feb 22, 2006)
Fixed bug where admin page views were not counted
Changed function name from set_defaults() to set_default_page_permissions() to try to avoid potential conflicts
Added missing language entry
Fixed bug where file cache was not being used
Minor updates to cache writing process
0.8.0 Download includes update instructions from 0.7.3
*** End 0.8.0 Notes ***

*** Begin 0.7.3 Notes *** (Feb 13, 2006)
Fixed a bug where Moderators could see Admin only pages
Added code to bypass nearly the entire module if the logged in user is an ADMIN, no need to check security
Added a switch to activate / deactivate the page view counter increase, if you don't care about the page views you can turn this off, it's on by default
*** End 0.7.3 Notes ***

*** Begin 0.7.2 Notes *** (Feb 12, 2006)
I changed the way that pages were treated if you protected the same path with and without a URL. It should now work properly. Upgrading from a previous version is as simple as downloading from the new link below and overwriting only includes/page_permissions.php, none of the other install instructions have changed.
*** End 0.7.2 Notes ***

*** Begin 0.7.0 Notes *** (Jan 8, 2006)
New features of 0.7.0 include
  • Caching of page data
  • No more (I hope) hard-coded text, all language entries now
  • Added min / max post count to view page
  • Changed handling of pages with parameters
There are SQL updates and code updates from 0.6.x later in this topic. The prior release (0.6.x) is no longer supported or available for download on my site.
*** End 0.7.0 Notes ***

Please note: the screen shots below were for an ALPHA version. Please read this topic for updated screen shots and feature discussions.

[Original post text below]
I'm trying to see if there would be any interest in this MOD before I go to the trouble of writing it up. There are quite a few people that request that the memberlist be private, or that this page require a login, or whatever. I personally am interested in knowing where my web traffic is, but rather than have a simple page counter (there are MODs for that) I wanted a counter per page.

Here's a shot of the admin panel:
Image

A brief explanation...
Disable lets you take a page offline without taking your entire board offline. So if you're MODding the memberlist, for example, you can disable that page while you work on your live board. The admin user ignores the disable setting, and therefore can use the page. You could, in theory, disable every page and as the admin continue to use the entire board while guests and members get a "this page has been disabled" message. The disable message is, of course, an entry in the language file, and so can be customized. No plans to set up a disable message that is custom to each page, but it could be done.

Admin Required
If you want a page to require admin level access at all times, mark it so. Guests, users, and even moderators will get an "insufficient privileges" message when they attempt to access the page. Why not just put the page in the admin folder? You could. :-) I'm not sure I will keep this feature or drop it.

Guest Allowed is probably self explanatory. If you want guests to be able to view the page, say "Yes", otherwise say "No". So if you want to protect the memberlist.php (as I have done in the screenshot shown above) set this flag to "No". The user may be able to click the link to the file, but will be redirected to the login screen if they are not currently logged in.

This is all implemented via an "include" so it should be extremely easy to implement / upgrade. In each file that you want to protect, you'll add a single line of code that includes the page management module. The included code will check the page configuration and check the user status (logged in / out, admin or not) and page status (disable or not) and react accordingly.

Finally, the page counter code is added to the page_tail, as I want every page view to be counted. This is separate from the page management, as it works for every page that you enter into the management screen. Don't want to track views for posting.php? Simply drop that from the table and you won't track page views. The admin screen allows you to edit the page views if - for some reason - you want to adjust the value.

There are still some issues to work out. The tricky one is the profile.php code, as you want guests to be able to register :-) but perhaps not view other user profiles. So profile.php?mode=register should be allowed for guests, while profile.php?mode=viewprofile should not.

Thoughts? If nobody's interested, I won't bother taking the time to write it up. 8)
Last edited by drathbun on Mon Jan 22, 2007 2:17 pm, edited 27 times in total.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
Swizec
Former Team Member
Posts: 1701
Joined: Mon Mar 10, 2003 9:42 pm
Location: Slovenia
Contact:

Post by Swizec »

an absolutely great idea!

you really should do this ;)
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

Swizec wrote: an absolutely great idea!

:-D
you really should do this ;)

Well, it's essentially done. I'm using it on a new "MODs" board I'm setting up. I've written quite a few "little" MODs over the years that I use for myself, and have just never gotten around to sharing them. This is a recent development, so it will require some work before it's ready to be released... but the main structure is done. I needed the "disable page" because some parts of my board are live, and people kept poking around in stuff that wasn't ready yet. :lol: The "guest" feature will give less sophisticated board owners (and by this I mean people that are not really happy about editing a lot of code) the ability to protect any file they want to, as long as it includes the phpBB wrapper (session handling, and so on).

Any other ideas for "page" level settings that you can think of?

You'll notice that there are no settings for moderators. I'm not inclined to do anything with that, as there are two many variables. A user can be a moderator of one forum and not another. A group can be a moderator of one forum and not another. It just gets too ugly. Also this is not a replacement for forum-level permissions... it's at a higher level. If you wanted to, you could use this to prevent all forums from being guest viewable by simply protecting viewforum.php. But that's not the intention.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
stickerboy
Former Team Member
Posts: 7349
Joined: Mon Mar 29, 2004 2:27 pm
Location: Airdrie, UK (127.0.0.1)
Name: Kenny Cameron
Contact:

Post by stickerboy »

Sounds like a great MOD drathbun :P

I would say to add registered user and MOD to the page level settings, but already mentioned that could be tricky.
Possbly as an optional add-on?

or even a giode on how to do this. I have kooky's user-level MOD installed, so even just a guide so I can do it and I can add the extra levels myself :)

byw, do you hvae, or plan to have a page level for reg user?
I'm a web-designing code-decrypting tech-support musician
|| Twitter || Flickr || phpBB Snippets ||
Formerly known as cherokee red
ArkServer
Registered User
Posts: 40
Joined: Thu May 05, 2005 11:52 pm

Post by ArkServer »

its a GREAT mod :) and i like the idea, too bad i cant help you :( im not a skilled php coder, i do java c/c++ :/
Thatbitextra
Former Team Member
Posts: 7604
Joined: Mon Mar 21, 2005 5:04 am
Location: A place where something is or could be located; a site.
Contact:

Post by Thatbitextra »

This sounds brilliant! :)
Maybe you should make Admin required a dropdown with Admin, Mod, reg, like the normal permissions. And maybe even groups. Then a way to define which groups are allowed access. It sounds like a lot of work (to me at least), but I think it would be worth the time. Someone is bound to ask for it if you don't include it.
Can't wait for more of this :D
Styles KB
My MODs: Choose Who to Accept PMs From (Prevents unwanted PMs!) | Warn of Old Topic Before Posting Reply
Style: subBlack (Now updated to phpBB 2.0.22 and 5 new color schemes!)
Xiph3r
Registered User
Posts: 342
Joined: Sun Oct 27, 2002 8:21 pm
Location: the wired
Contact:

Post by Xiph3r »

i want it! 8)
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

Hmm, well, it seems I finally have hit upon a MOD idea that has sparked some interest. :-) Most of my MODs go quietly into the night, never to be heard from again. :lol:

Answering some comments:
This is a page-level permission setting. There really isn't a way to handle moderator roles. Moderators, as allowed by the core phpBB code, can be moderators of a forum or not. A group may be a moderator of a forum or not. A user may be a member of a group or not. So you have this weird matrix of permissions that are generated (by the auth.php code) that determines if a user is a moderator of a forum or not. But you can't (or at least I can't see a way to) apply that at a "page" level. The page is viewforum.php, or viewtopic.php. You aren't a moderator of a page, just the content within it. :?

Registered users are implied by the guest permission. If you say that guests cannot use the page, then (by inference, at least in my mind) that means that you must be registered. The next level up from that is Admin, and I have that too. If you look at the data that is stored in the user table in the user_level column a user is either a member (registered) or an admin. That's it. If a user is not logged in, then they are a guest. So the hierarchy goes Guest -> Registered -> Admin.

In other words, this is not intended as a replacement for the phpBB "auth" system, which gives you a level of control over content. It's simply to be used for pages that you want to control access to.

Take another example. Suppose you set the page permissions for index.php where guests were not allowed to view it. Anyone that clicked to your forum home page would be routed to the login page. Add a "Wouldn't you like to register?" link on the login page, and you handle new users. Granted you can do this right now by setting permissions on each and every forum, but by setting it at the page level it's faster and doesn't require a lot of queries. Just one. :-)

Suppose you set permissions on index.php to Disabled. By definition (at least in my code) the Admin can still use the forum. Everyone else will get a "this page is offline" message. But, if they want, they can still browse the forums (viewforum) or topics (viewtopic) unless you also take those offline by disabling them.

Right now I'm developing some new content / pages for a new board. I have some users (you know who you are ;-)) but I don't want anyone to stumble through some of the pages that I'm still working on, which are apt to throw bugs at any time. So those pages are currently "disabled". Also, I will be managing the group membership as a strictly private concern, so the groupcp.php file is protected (with one mouse click :-)) as an "Admin Only" page. That way even if someone knows the page name (it's not linked anywhere on the site) they can't use it without admin rights.

So that's a few ideas on how I intend to use this, I'm sure there are many more. Once I figure out how to hook into the profile code, where I can disallow guests viewing profiles but still allow them to register, I'll post some beta code.

Thanks for the interest! 8)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

Thatbitextra wrote: Maybe you should make Admin required a dropdown with Admin, Mod, reg, like the normal permissions.

Yeah, as a user interface that would work... plus let me combine two fields (guest and admin) into one. The item might be called "User Level Required" and it would be Guest, Reg, Admin. As I outlined in my previous post I can't conceive of how to work this with Moderators.
And maybe even groups. Then a way to define which groups are allowed access.

Again, I'm not sure this would be worthwhile, at least the way I am thinking it through. Groups are used to manage access to content; the page is used to deliver that content. So a group has access to a private forum, with content delivered via viewforum and viewtopic.

Perhaps a group that is the only group that has access to the memberlist? Hmmm, I guess I could see that. Instead of Guest, Reg, Admin you could allow members of a specific group to use that page. Or maybe even set up a "super moderator" group, where normal moderators can do standard moderator things one topic at a time, but "super moderators" (and I know I'm using a term that has been used for a different purpose, but go with me for a sec :-)) can use modcp.php to do "mass" moderation.

Okay, so I can see where groups might play. I'll think about it for beta 2. 8)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
bonelifer
Community Team Member
Community Team Member
Posts: 3503
Joined: Wed Oct 27, 2004 11:35 pm
Name: William
Contact:

Post by bonelifer »

Instead you could tie in the Global Moderator mod, here's the thread Global Moderator, I posted on phpbbhacks for the updated code(made it work with EasyMod and broke it into it's seperate parts for simple installation).
Thatbitextra
Former Team Member
Posts: 7604
Joined: Mon Mar 21, 2005 5:04 am
Location: A place where something is or could be located; a site.
Contact:

Post by Thatbitextra »

Well, if I wanted to make viewforum.php viewable only to Mods and Admin, I would change (in viewforum.php)

Code: Select all

$template->set_filenames(array(
	'body' => 'viewforum_body.tpl')
);
to

Code: Select all

if ( $is_auth['auth_mod'] )
{$template->set_filenames(array(
	'body' => 'viewforum_body.tpl')
);
}
else
{$template->set_filenames(array(
	'body' => 'access_denied.tpl')
);
}
See what I mean? It's all about changing what the user sees based on their auth level.
Styles KB
My MODs: Choose Who to Accept PMs From (Prevents unwanted PMs!) | Warn of Old Topic Before Posting Reply
Style: subBlack (Now updated to phpBB 2.0.22 and 5 new color schemes!)
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

Thatbitextra wrote: Well, if I wanted to make viewforum.php viewable only to Mods and Admin, I would change (in viewforum.php)

Code: Select all

$template->set_filenames(array(
	'body' => 'viewforum_body.tpl')
);
to

Code: Select all

...
See what I mean? It's all about changing what the user sees based on their auth level.

Yeah, but you don't get my point yet. :-) Or I'm not getting yours, one of the two. Realize that I'm talking about a page permission, not content permission... and think about this:

Set up a new board.
Set up 3 forums called 1, 2, and 3.
Set up a user so that they are authorized to moderate 1, but not 2 or 3.
Pretend that my MOD is finished :-) and that you've set the "View" permission on viewforum to MOD.

Now what happens?

Yes, you check (using the code you provided) to see if the user is Auth'd as a moderator for that forum (that's the content) and then you can redirect them elsewhere. But you can already do that with the current phpBB permission system, just by setting "VIEW" permission for that specific forum to MOD.

I'm not trying to reinvent the phpBB permission system, I'm trying to set page permissions. That means, at least in my vision for this project, that I can't be concerned about content. It's at a much more basic level, and it solves a problem that you cannot currently do with the phpBB permission system. The viewforum page is a viewforum page, period. And since you are quite possibly acting at different levels depending on the content (selected forum) as a moderator, I don't see it working out.

A guest is always a guest.
A registered user is always a registered user.
A board admin is always a board admin.

Moderators are based on specific content within the page.

I really do appreciate the comments. Keep trying, maybe you'll convince me. :-) Can you give me an example of a "page" permission where it would be appropriate to check for moderator status? Remember that moderator status is based on forum permissions, so if you're not viewing a forum (or a topic within a forum) the moderator status has no meaning.

Let's use the memberlist as an example. If you wanted to set the ability to view the memberlist to "moderator" then how would you define a moderator? Anyone with moderator status for any forum on the board? Is that good enough?

I think I like the group membership better. Groups are based on users, not content. I can take a group of users and limit access to pages, and I don't have any problems with visualizing how that would be used. I'm just being stubborn about moderators. :-)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
Thatbitextra
Former Team Member
Posts: 7604
Joined: Mon Mar 21, 2005 5:04 am
Location: A place where something is or could be located; a site.
Contact:

Post by Thatbitextra »

drathbun wrote: Is that good enough?

That is what my mindset was, I'll admit. I wasn't thinking about boards with different moderators for different forums.
drathbun wrote: I think I like the group membership better. Groups are based on users, not content. I can take a group of users and limit access to pages, and I don't have any problems with visualizing how that would be used. I'm just being stubborn about moderators. :-)

Yes, the groups idea would work well in that case. For the memberlist example, you could have a hidden group with people who are allowed to access it.
Well, if you can't do mods, you could do reg as well. Have to be registered to view the memberlist.
Styles KB
My MODs: Choose Who to Accept PMs From (Prevents unwanted PMs!) | Warn of Old Topic Before Posting Reply
Style: subBlack (Now updated to phpBB 2.0.22 and 5 new color schemes!)
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

Thatbitextra wrote:
drathbun wrote:Is that good enough?

That is what my mindset was, I'll admit. I wasn't thinking about boards with different moderators for different forums.

Yeah, I know. Nobody does, 'cause nobody sets it up that way. Except me. :-)
drathbun wrote:I think I like the group membership better. Groups are based on users, not content. I can take a group of users and limit access to pages, and I don't have any problems with visualizing how that would be used. I'm just being stubborn about moderators. :-)

Yes, the groups idea would work well in that case. For the memberlist example, you could have a hidden group with people who are allowed to access it.
Well, if you can't do mods, you could do reg as well. Have to be registered to view the memberlist.

That's already there, albeit in inverse form. I have a setting for "guest" allowed. If that's no (false) then you must be registered. So rather than allow / disallow registered, you allow / disallow guest. I think I'll take an earlier suggestion... set the permission to "view" or use the page to a drop down, and put Guest, Reg, and Admin as the choices. That way is more clear.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
DKing
Registered User
Posts: 751
Joined: Sat Jul 03, 2004 8:38 pm

Post by DKing »

Its a really good idea! I like it, so I think you should release it!
-DKing
Latest phpBB Version: 2.0.21
Search For a MOD: MOD Search
Locked

Return to “[2.0.x] MODs in Development”