01-15-2017, 03:17 PM
Index.php does not have the check in it by default because if you locked people out of the homepage, then they wouldn't be able to login. You could always do
somewhere near the top of the index to force them to login without using the heavy handed security feature. I'm going to be cleaning up what happens when someone doesn't have access in 4.2. I've been testing it in some of my other projects.
One of the tough things is that we work under the assumption that there should be "public" parts of most projects where people can at least read a little information before deciding if they want to join or login. The above redirect would cause issues with that.
Is there another page that should be secured, that is not secured by default?
And yes...every UserSpice page that you want to be able to log people out of needs the
if(!securePage($_SERVER['PHP_SELF'])){die();};
line or UserSpice will know that you're not supposed to be there, but it won't be able to kick you out.
I don't think this can be in the init. I can double check that though.
I definitely appreciate your feedback and I'll look into the init fixes thing too. The main problem with editing the init is that it is created on the fly at install, so we don't know what's in there to find and replace things. We're moving more things out of it, to pretty much leave just the db credentials over time. It's tough when you're trying to maintain compatibility.
Code:
if(!$user->isLoggedIn){Code:
Redirect::to('users/login.php);Code:
}somewhere near the top of the index to force them to login without using the heavy handed security feature. I'm going to be cleaning up what happens when someone doesn't have access in 4.2. I've been testing it in some of my other projects.
One of the tough things is that we work under the assumption that there should be "public" parts of most projects where people can at least read a little information before deciding if they want to join or login. The above redirect would cause issues with that.
Is there another page that should be secured, that is not secured by default?
And yes...every UserSpice page that you want to be able to log people out of needs the
if(!securePage($_SERVER['PHP_SELF'])){die();};
line or UserSpice will know that you're not supposed to be there, but it won't be able to kick you out.
I don't think this can be in the init. I can double check that though.
I definitely appreciate your feedback and I'll look into the init fixes thing too. The main problem with editing the init is that it is created on the fly at install, so we don't know what's in there to find and replace things. We're moving more things out of it, to pretty much leave just the db credentials over time. It's tough when you're trying to maintain compatibility.