Only run php function if user is logged in?

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Only run php function if user is logged in?

Post by terrylb » Mon Sep 03, 2018 9:27 pm

My board has a custom php file at webroot which is called to generate a signed url for viewing video on AWS. In 3.1 we used session management sort of like below but this doesn't seem to work in 3.2.2.

Code: Select all

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();
if ($user->data['user_id'] == ANONYMOUS) {
   die("Access Denied");
} else {
// generate signed URL
}
How can I achieve the same result in 3.2? Thank you very much for any assistance.

-Terry
Last edited by terrylb on Tue Sep 04, 2018 1:51 am, edited 3 times in total.

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 1944
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: Only run php function if user is logged in?

Post by kinerity » Mon Sep 03, 2018 9:32 pm

With the exception of a missing ", that should work. Do you get an error?
Kailey Truscott - Community Team

terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Re: Only run php function if user is logged in?

Post by terrylb » Mon Sep 03, 2018 10:18 pm

Thanks kinerity. Oops, typo in the copy/paste to the forum. The closing quote is fixed.

So if I try to access the php file directly when not logged in, it works correctly and does not allow access. But it also does not allow access if I am logged in. I added an echo to see who it thinks I am when logged in

Code: Select all

if ($user->data['user_id'] == ANONYMOUS)
{
  echo "user_id= " . $user->data['user_id'] . " END\n";
  die("access denied");
}
Snippet from apache access_log show logged in as user_id 1.
[03/Sep/2018:22:01:28 +0000] "GET /phpbbboard/user_id=%201%20ENDaccess%20denied HTTP/1.1" 404 6863

Should i not be testing for ANONYMOUS?
Last edited by terrylb on Tue Sep 04, 2018 12:43 am, edited 1 time in total.

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 1944
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: Only run php function if user is logged in?

Post by kinerity » Mon Sep 03, 2018 10:37 pm

What happens if you replace else with elseif ($user->data['user-id'] != ANONYMOUS)? It shouldn't matter, but it helps test. ;)
Kailey Truscott - Community Team

terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Re: Only run php function if user is logged in?

Post by terrylb » Mon Sep 03, 2018 11:13 pm

I replaced the else with the elseif but no change.

I added another echo and username is reported as ANONYMOUS but user_id is 1.

"username: Anonymous END user_id= 1 END access denied"

This is odd because I am logged in, as the site admin. If I don't test for logged in user, the signed url is generated correctly, so I don't think there's a problem there. It really seems like I don't have session management working correctly. Here's the entire php file.

Code: Select all

<?php
define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();

function generateURL($target, $seconds, $seekTo)
{       
        //-- AWS signed URL     
        $keyPairId              = 'XXX';
        $expires                 = time() + $seconds;
        $json                      = '{"Statement":[{"Resource":"' . $target . '","Condition":{"DateLessThan":{"AWS:EpochTime":' . $expires . '}}}]}';
        
        //-- read cloudfront private key pair
        $PEMFile                 = '/path/to/pem';
        $fp                         = fopen($PEMFile, 'r');
        $private_key           = fread($fp, 8192);
        fclose($fp);
        
        //-- create the private key
        $key = openssl_get_privatekey($private_key);
        if (!$key)
        {       
                echo "<p>Failed to load private key!</p>";
                return;
        }
        
        //-- sign the policy with the private key
        if (!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1))
        {       
                echo '<p>Failed to sign policy: ' . openssl_error_string() . '</p>';
                return;
        }

        //-- create url safe signed policy
        $base64_signed_policy = base64_encode($signed_policy);
        $signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);

        //-- construct the URL
        $secure = $target . '?Expires=' . $expires . '&Signature=' . $signature . '&Key-Pair-Id=' . $keyPairId;
        return ($seekTo) ? $secure . '#t=' . $seekTo : $secure;
}

if ($user->data['user_id'] == ANONYMOUS)
{
  echo "username: " . $user->data['username'] . " END ";
  echo "user_id: " . $user->data['user_id'] . " END ";
  die("access denied");
}
elseif ($user->data['user_id'] != ANONYMOUS)
{
        echo generateURL("http://path/to/video" . request_var("file","default_val_if_file_doesnt_exist") . ".mp4", 7200, null);
}
?>
Last edited by terrylb on Tue Sep 04, 2018 12:25 am, edited 1 time in total.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51402
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Only run php function if user is logged in?

Post by Brf » Mon Sep 03, 2018 11:32 pm

It should be user_id, but you have user-id in some places.

terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Re: Only run php function if user is logged in?

Post by terrylb » Tue Sep 04, 2018 12:23 am

Thanks Brf. I fixed the one occurrence but it was in the elseif which isn't getting called because the prior if is succeeding when it shouldn't be. I thought I read that the Anonymous user is supposed to be -1? How can username be Anonymous but user_id be 1?

"username: Anonymous END user_id: 1 END access denied"
(BTW, the " END" in these echo statements is to help me when looking at apache output that's url escaped with %s everywhere.)

This is working under 3.1.6. A diff between this php file in the 3.2.2 site and the one in the working 3.1.6 site is only the pem file location. I'm testing AWS LightSail for hosting and their directory structure is a little different. Is there some other way to test if I have session management working properly, or determine if there's been a change in the way this is handled in 3.2.2?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51402
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Only run php function if user is logged in?

Post by Brf » Tue Sep 04, 2018 1:01 am

Anonymous is 1.
Here is where you have user-id, rather than user_id in your first post.
terrylb wrote:
Mon Sep 03, 2018 9:27 pm
if ($user->data['user-id'] == ANONYMOUS) {

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 1944
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: Only run php function if user is logged in?

Post by kinerity » Tue Sep 04, 2018 2:40 am

Sorry, I copied and didn't check.
Kailey Truscott - Community Team

terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Re: Only run php function if user is logged in?

Post by terrylb » Tue Sep 04, 2018 2:59 am

Oh, sorry, another typo. Sheesh! If you look at the included php file a couple posts up you'll see that it's actually correct, user_id.

Okay, thanks for clarifying that Anonymous is user_id 1. I guess the question now is why does it report it's the Anonymous user and not the logged in user?

At the risk of complicating things, here's more info in case it's helpful:
aws.js and jquery are included in /styles/prosilver/templates/overall_header.html

Code: Select all

<!-- jquery needed for AWS signed URLs 9/24/2014 -->
<script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript" src="aws.js"></script>
<!-- END AWS -->
aws.js

Code: Select all

$(document).ready(function()
{
	$("video").each(function(index)
	{
		var vidRef = $(this);
		$.ajax({ url: 'aws.php',
			data: {
				file: $(this).data('file')
			},
			type: 'post',
			success: function(response)
			{
				if (response != 'access denied') vidRef.attr('src', response);
			}
		});
	});
});

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51402
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Only run php function if user is logged in?

Post by Brf » Tue Sep 04, 2018 1:54 pm

Ah. You are using ajax. personally, I have never had much luck with getting sessions into an ajax call without using the sid.

terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Re: Only run php function if user is logged in?

Post by terrylb » Tue Sep 04, 2018 5:12 pm

Thanks Brf. Do you have any examples of getting sessions into an ajax call using the sid?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51402
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Only run php function if user is logged in?

Post by Brf » Tue Sep 04, 2018 5:32 pm

You could use append_sid to build the URL within whatever page is generating that webpage. That is how the quickmod tools are done,

terrylb
Registered User
Posts: 11
Joined: Mon Sep 03, 2018 8:12 pm

Re: Only run php function if user is logged in?

Post by terrylb » Wed Sep 05, 2018 11:16 pm

I've done some searching on append_sid and I'm not sure how to use it in my situation. Can I ask for some additional pointers? Here's a recap of the setup and previous posts.

/styles/prosilver/templates/overall_header.html includes 2 script lines: jquery and aws.js
aws.js makes an ajax call to aws.php to generate a signed url and insert it into the video src tag
aws.php runs the session management and tests if the user is logged in. It always returns that it's the Anonymous user.

Where would append_sid go?

Or, maybe there's a better, easier way to generate and insert the signed url into the video tag?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51402
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Only run php function if user is logged in?

Post by Brf » Thu Sep 06, 2018 1:47 am

I am not sure what you are trying to accomplish by calling this little php file. Why not simply create a little extension to generate it within phpBB? Also, since your code is in the header template, you could simply use the phpBB S_USER_LOGGED_IN or whatever that flag is.

Post Reply

Return to “phpBB Custom Coding”

Who is online

Users browsing this forum: No registered users and 83 guests