Page 1 of 2

Only run php function if user is logged in?

Posted: Mon Sep 03, 2018 9:27 pm
by terrylb
My board has a custom php file at webroot which is called to generate a signed url for viewing video on AWS. In 3.1 we used session management sort of like below but this doesn't seem to work in 3.2.2.

Code: Select all

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();
if ($user->data['user_id'] == ANONYMOUS) {
   die("Access Denied");
} else {
// generate signed URL
}
How can I achieve the same result in 3.2? Thank you very much for any assistance.

-Terry

Re: Only run php function if user is logged in?

Posted: Mon Sep 03, 2018 9:32 pm
by kinerity
With the exception of a missing ", that should work. Do you get an error?

Re: Only run php function if user is logged in?

Posted: Mon Sep 03, 2018 10:18 pm
by terrylb
Thanks kinerity. Oops, typo in the copy/paste to the forum. The closing quote is fixed.

So if I try to access the php file directly when not logged in, it works correctly and does not allow access. But it also does not allow access if I am logged in. I added an echo to see who it thinks I am when logged in

Code: Select all

if ($user->data['user_id'] == ANONYMOUS)
{
  echo "user_id= " . $user->data['user_id'] . " END\n";
  die("access denied");
}
Snippet from apache access_log show logged in as user_id 1.
[03/Sep/2018:22:01:28 +0000] "GET /phpbbboard/user_id=%201%20ENDaccess%20denied HTTP/1.1" 404 6863

Should i not be testing for ANONYMOUS?

Re: Only run php function if user is logged in?

Posted: Mon Sep 03, 2018 10:37 pm
by kinerity
What happens if you replace else with elseif ($user->data['user-id'] != ANONYMOUS)? It shouldn't matter, but it helps test. ;)

Re: Only run php function if user is logged in?

Posted: Mon Sep 03, 2018 11:13 pm
by terrylb
I replaced the else with the elseif but no change.

I added another echo and username is reported as ANONYMOUS but user_id is 1.

"username: Anonymous END user_id= 1 END access denied"

This is odd because I am logged in, as the site admin. If I don't test for logged in user, the signed url is generated correctly, so I don't think there's a problem there. It really seems like I don't have session management working correctly. Here's the entire php file.

Code: Select all

<?php
define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();

function generateURL($target, $seconds, $seekTo)
{       
        //-- AWS signed URL     
        $keyPairId              = 'XXX';
        $expires                 = time() + $seconds;
        $json                      = '{"Statement":[{"Resource":"' . $target . '","Condition":{"DateLessThan":{"AWS:EpochTime":' . $expires . '}}}]}';
        
        //-- read cloudfront private key pair
        $PEMFile                 = '/path/to/pem';
        $fp                         = fopen($PEMFile, 'r');
        $private_key           = fread($fp, 8192);
        fclose($fp);
        
        //-- create the private key
        $key = openssl_get_privatekey($private_key);
        if (!$key)
        {       
                echo "<p>Failed to load private key!</p>";
                return;
        }
        
        //-- sign the policy with the private key
        if (!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1))
        {       
                echo '<p>Failed to sign policy: ' . openssl_error_string() . '</p>';
                return;
        }

        //-- create url safe signed policy
        $base64_signed_policy = base64_encode($signed_policy);
        $signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);

        //-- construct the URL
        $secure = $target . '?Expires=' . $expires . '&Signature=' . $signature . '&Key-Pair-Id=' . $keyPairId;
        return ($seekTo) ? $secure . '#t=' . $seekTo : $secure;
}

if ($user->data['user_id'] == ANONYMOUS)
{
  echo "username: " . $user->data['username'] . " END ";
  echo "user_id: " . $user->data['user_id'] . " END ";
  die("access denied");
}
elseif ($user->data['user_id'] != ANONYMOUS)
{
        echo generateURL("http://path/to/video" . request_var("file","default_val_if_file_doesnt_exist") . ".mp4", 7200, null);
}
?>

Re: Only run php function if user is logged in?

Posted: Mon Sep 03, 2018 11:32 pm
by Brf
It should be user_id, but you have user-id in some places.

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 12:23 am
by terrylb
Thanks Brf. I fixed the one occurrence but it was in the elseif which isn't getting called because the prior if is succeeding when it shouldn't be. I thought I read that the Anonymous user is supposed to be -1? How can username be Anonymous but user_id be 1?

"username: Anonymous END user_id: 1 END access denied"
(BTW, the " END" in these echo statements is to help me when looking at apache output that's url escaped with %s everywhere.)

This is working under 3.1.6. A diff between this php file in the 3.2.2 site and the one in the working 3.1.6 site is only the pem file location. I'm testing AWS LightSail for hosting and their directory structure is a little different. Is there some other way to test if I have session management working properly, or determine if there's been a change in the way this is handled in 3.2.2?

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 1:01 am
by Brf
Anonymous is 1.
Here is where you have user-id, rather than user_id in your first post.
terrylb wrote:
Mon Sep 03, 2018 9:27 pm
if ($user->data['user-id'] == ANONYMOUS) {

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 2:40 am
by kinerity
Sorry, I copied and didn't check.

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 2:59 am
by terrylb
Oh, sorry, another typo. Sheesh! If you look at the included php file a couple posts up you'll see that it's actually correct, user_id.

Okay, thanks for clarifying that Anonymous is user_id 1. I guess the question now is why does it report it's the Anonymous user and not the logged in user?

At the risk of complicating things, here's more info in case it's helpful:
aws.js and jquery are included in /styles/prosilver/templates/overall_header.html

Code: Select all

<!-- jquery needed for AWS signed URLs 9/24/2014 -->
<script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript" src="aws.js"></script>
<!-- END AWS -->
aws.js

Code: Select all

$(document).ready(function()
{
	$("video").each(function(index)
	{
		var vidRef = $(this);
		$.ajax({ url: 'aws.php',
			data: {
				file: $(this).data('file')
			},
			type: 'post',
			success: function(response)
			{
				if (response != 'access denied') vidRef.attr('src', response);
			}
		});
	});
});

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 1:54 pm
by Brf
Ah. You are using ajax. personally, I have never had much luck with getting sessions into an ajax call without using the sid.

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 5:12 pm
by terrylb
Thanks Brf. Do you have any examples of getting sessions into an ajax call using the sid?

Re: Only run php function if user is logged in?

Posted: Tue Sep 04, 2018 5:32 pm
by Brf
You could use append_sid to build the URL within whatever page is generating that webpage. That is how the quickmod tools are done,

Re: Only run php function if user is logged in?

Posted: Wed Sep 05, 2018 11:16 pm
by terrylb
I've done some searching on append_sid and I'm not sure how to use it in my situation. Can I ask for some additional pointers? Here's a recap of the setup and previous posts.

/styles/prosilver/templates/overall_header.html includes 2 script lines: jquery and aws.js
aws.js makes an ajax call to aws.php to generate a signed url and insert it into the video src tag
aws.php runs the session management and tests if the user is logged in. It always returns that it's the Anonymous user.

Where would append_sid go?

Or, maybe there's a better, easier way to generate and insert the signed url into the video tag?

Re: Only run php function if user is logged in?

Posted: Thu Sep 06, 2018 1:47 am
by Brf
I am not sure what you are trying to accomplish by calling this little php file. Why not simply create a little extension to generate it within phpBB? Also, since your code is in the header template, you could simply use the phpBB S_USER_LOGGED_IN or whatever that flag is.