01-15-2017, 03:04 PM
Hello,
I am relatively new to php development and I am looking into using UserSpice as a foundation for a new project.
One of the things i noticed was this issue mentioned here of pages being set to private in the control panel yet whilst not logged in I can still get to the page. Tested with /index.php. US_ver= 4.1.8c
Upon looking through the code I noticed there was no check being run on some of the pages, including /index.php, to see if the page is public or private and if the later which groups can see the page.
I then created /test.php which contains the following:
<pre></pre>
I set the page to private with user group access. I could still view whilst not logged in.
Adding fixed the issue.
As the system is designed to use page permissions this should probably be included in /users/init.php but as you pointed out in your troubleshooting video you cannot patch this file. Therefore I think it might be worthwhile being included in /users/includes/header.php.
Another thought on patching the init.php file is to make a init_fixes.php file which could search the init.php file for any necessary fixes and then output messages into a panel in admin.php with patch information.
As for Raven's system, I believe depending on the need for a support/ticket system then in some cases you don't want the general public being able to access and would require users to be logged in prior to being able to view/create tickets.
If I have missed something regarding the design or functionality then please enlighten me for future reference.
Hope this has been helpful (if not already fixed) and not rude newbie comments.
I am relatively new to php development and I am looking into using UserSpice as a foundation for a new project.
One of the things i noticed was this issue mentioned here of pages being set to private in the control panel yet whilst not logged in I can still get to the page. Tested with /index.php. US_ver= 4.1.8c
Upon looking through the code I noticed there was no check being run on some of the pages, including /index.php, to see if the page is public or private and if the later which groups can see the page.
I then created /test.php which contains the following:
<pre>
Code:
<?php
require_once 'users/init.php';
require_once $abs_us_root.$us_url_root.'users/includes/header.php';
require_once $abs_us_root.$us_url_root.'users/includes/navigation.php';
?>
<br><br><br>
<p>this is a test page</p>I set the page to private with user group access. I could still view whilst not logged in.
Adding
Code:
if (!securePage($_SERVER['PHP_SELF'])){die();};As the system is designed to use page permissions this should probably be included in /users/init.php but as you pointed out in your troubleshooting video you cannot patch this file. Therefore I think it might be worthwhile being included in /users/includes/header.php.
Another thought on patching the init.php file is to make a init_fixes.php file which could search the init.php file for any necessary fixes and then output messages into a panel in admin.php with patch information.
As for Raven's system, I believe depending on the need for a support/ticket system then in some cases you don't want the general public being able to access and would require users to be logged in prior to being able to view/create tickets.
If I have missed something regarding the design or functionality then please enlighten me for future reference.
Hope this has been helpful (if not already fixed) and not rude newbie comments.