| Welcome, Guest |
You have to register before you can post on our site.
|
| Online Users |
There are currently 249 online users.
» 0 Member(s) | 247 Guest(s)
Bing, Google
|
| Latest Threads |
UserSpice Alpha Testing a...
Forum: News Center
Last Post: ivinsons
11-08-2024, 06:13 PM
» Replies: 13
» Views: 42,475
|
UserSpice 4.4 Development
Forum: News Center
Last Post: Amelie12
09-21-2024, 12:23 PM
» Replies: 4
» Views: 15,199
|
Welcome to the new UserSp...
Forum: News Center
Last Post: ivinsons
08-25-2024, 07:39 AM
» Replies: 2
» Views: 27,918
|
How to use hasPerm
Forum: UserSpice 4.4
Last Post: mudmin
07-20-2019, 02:45 PM
» Replies: 1
» Views: 13,755
|
Session issue? What I sho...
Forum: UserSpice 4.4
Last Post: Parth
07-17-2019, 05:06 PM
» Replies: 4
» Views: 14,502
|
Email Error
Forum: UserSpice 4.4
Last Post: Brandin
07-17-2019, 04:47 PM
» Replies: 1
» Views: 6,623
|
{ Missing Text } after up...
Forum: UserSpice 4.4
Last Post: Brandin
07-16-2019, 04:23 PM
» Replies: 22
» Views: 53,638
|
Best Practice Info
Forum: New to UserSpice?
Last Post: Brandin
07-16-2019, 11:55 AM
» Replies: 1
» Views: 13,490
|
Force to use 2FA -always-
Forum: UserSpice 4.4
Last Post: Brandin
07-12-2019, 12:43 PM
» Replies: 1
» Views: 6,636
|
e-mail not verifying
Forum: UserSpice 4.4
Last Post: LBC
07-10-2019, 11:34 AM
» Replies: 31
» Views: 76,232
|
|
|
| Custom Post Commands |
|
Posted by: acstudent - 06-12-2018, 06:26 PM - Forum: UserSpice 4.3 and Below
- No Replies
|
 |
When using a $_POST command on a form field based on a custom form (not one supported through userspices form class), the command does not work. Is there anything that needs to be added or changed to allow for POST commands with non userspice forms incorporated into a userspice application?
|
|
|
|
| Manually Add User redirects and logs out admin |
|
Posted by: pringletech - 06-07-2018, 03:24 AM - Forum: UserSpice 4.3 and Below
- Replies (6)
|
|
When manually adding a user successfully I am logged out as my user and logged in as the newly created one. I would prefer to stay logged in as my admin users and stay on the admin_users.php page.
Is what I am seeing the designed workflow? Can I stay logged in and go back to the admin users list?
|
|
|
|
| Secure or manage access to images |
|
Posted by: jc - 06-04-2018, 08:08 AM - Forum: UserSpice 4.3 and Below
- No Replies
|
|
The standard code snippet Code: if(!hasPerm([3],$user->data()->id)){...}
I have been looking at ways to secure those files to logged users and this is what I got, it may be useful for others and can be improved by the forum.
Let's assume all images are in folder "figures"
On the parent folder create a .htaccess file with these instructions (make sure mod_rewrite is enabled):
<pre>Code: RewriteEngine on
RewriteRule ^(figures)/(.*)$ imageout.php?img=$1/$2
RewriteEngine on
RewriteRule ^(figures)/(.*)$ imageout.php?img=$1/$2
In this way when a file from the folder "figures" is requested the folder and filename are passed to the script imageout.php.
This script checks whether the user is logged in and send the image. It also prevents user input for files outside the designated folder. Imagine a user requests https://mydomain.com/figures/../../../.....s/OMG.jpeg, not a good idea to let that happens (or put the images there in the first place).
This can be prevented by a code like:
<pre>Code: $fileOut = basename($img);
//Prevent user input for files outside the designated folder
$fileOut = getcwd().'/figures/'.$fileOut;
The file imageout.php serving the graphic files would be:
<pre>Code: <?php
// check whether user has permissions
require_once '../users/init.php';
if(!hasPerm([x],$user->data()->id)){
header('Location: http://www.domain.com/');
die();
}
if(!empty( $_GET['img'])){
$img = $_GET['img'];
} else { exit('Image not supplied');}
$fileOut = basename($img);
//Prevent user input for files outside the designated folder
$fileOut = getcwd().'/figures/'.$fileOut;
if (file_exists($fileOut)) {
// from https://stackoverflow.com/questions/900207/return-a-php-page-as-an-image#26811487
//Set the content-type header as appropriate
$imageInfo = getimagesize($fileOut);
switch ($imageInfo[2]) {
case IMAGETYPE_JPEG:
header("Content-Type: image/jpeg");
break;
case IMAGETYPE_GIF:
header("Content-Type: image/gif");
break;
case IMAGETYPE_PNG:
header("Content-Type: image/png");
break;
default:
break;
}
// Set the content-length header
header('Content-Length: ' . filesize($fileOut));
// Write the image bytes to the client
readfile($fileOut);
}
?>
<?php
// check whether user has permissions
require_once '../users/init.php';
if(!hasPerm([x],$user->data()->id)){
header('Location: http://www.domain.com/');
die();
}
if(!empty( $_GET['img'])){
$img = $_GET['img'];
} else { exit('Image not supplied');}
$fileOut = basename($img);
//Prevent user input for files outside the designated folder
$fileOut = getcwd().'/figures/'.$fileOut;
if (file_exists($fileOut)) {
// from https://stackoverflow.com/questions/9002...e#26811487
//Set the content-type header as appropriate
$imageInfo = getimagesize($fileOut);
switch ($imageInfo[2]) {
case IMAGETYPE_JPEG:
header("Content-Type: image/jpeg");
break;
case IMAGETYPE_GIF:
header("Content-Type: image/gif");
break;
case IMAGETYPE_PNG:
header("Content-Type: image/png");
break;
default:
break;
}
// Set the content-length header
header('Content-Length: ' . filesize($fileOut));
// Write the image bytes to the client
readfile($fileOut);
}
?>
There is no noticeable decrease in speed for a few hundred files.
|
|
|
|
| Create CSV or PDF files with php |
|
Posted by: pittsburgh1776 - 06-01-2018, 08:41 AM - Forum: UserSpice 4.3 and Below
- Replies (3)
|
|
Hi,
I am working for three months with userspice and it is great php framework.
I have now one problem: I would like to create an csv (or an pdf) file.
I set up an php file and gave this file access with the page management function.
I have this code in the current userspice 4.3 version:
<pre> Code: <?php
require_once '../users/init.php';
require_once $abs_us_root.$us_url_root.'users/includes/header.php';
require_once $abs_us_root.$us_url_root.'users/includes/navigation.php';
if (!securePage($_SERVER['PHP_SELF'])){die();}
header('Content-Type: text/csv; charset=utf-8');
header('Content-Disposition: attachment; filename=data.csv');
// .. here the content
This created an csv file almost like I wanted. The only thing is, that I do have the html code of the header and the navigation in my csv file.
I thought I just had to delete the three 'requiered_once' lines. But then the system does not found my php file anymore.
How can I create a file without the header and navigaton code, but with access control?
Best regards
Thorsten
|
|
|
|
| List of Over Writeable Files |
|
Posted by: mleary2001 - 05-31-2018, 06:28 PM - Forum: UserSpice 4.3 and Below
- No Replies
|
 |
Is there a list of files that can be overwritten by copying from the users folder and pasting in the usersc folder? Such a list would help in the planning stages of design.
Thanks,
Mike
|
|
|
|
| Delete user |
|
Posted by: alexuco - 05-29-2018, 09:40 PM - Forum: UserSpice 4.3 and Below
- Replies (1)
|
|
Hi all! Today I was working hard testing user's roles(permission), etc and I've noticed that just the Admin is able to delete any other users. I've worked into this app for a company with some workers with more permission levels than a simple user that in my case are just CLIENTS.
What I would like to achieve is that 'workers' be able to DELETE users ('1').
DO you think I could do that without break any hard rule code of US. (in order not to complicate my life in the future). That workers now are able to access to some features of Dashboard.
In this app I just have 4 levels [0,1,2,3]
|
|
|
|
| Using UserSpice accounts with REST API? |
|
Posted by: codsane - 05-29-2018, 08:08 PM - Forum: Documentation
- Replies (1)
|
|
Hey there!
I recently discovered UserSpice, and I've been loving it as a user management framework for my latest project.
I've realized my project would benefit from a REST API, and I've given my partner the task to manage it. I prefer to use Python because it's something my partner is comfortable with, that way I can handle the PHP stuff and allow them to work on setting up endpoints for the API.
I now have a Python REST API demo working, however the last thing I have to work out before handing it over to my partner is authentication. Is there any way that I can check against the browsers session to see whether or not a user is logged in?
For example, I have the endpoint: api.mydomain.com/players
I will be using AJAX to call that endpoint from one of my pages, but I'd like to protect that endpoint from unauthorized requests outside of my page. This also allows me to log anybody who attempts to abuse the API outside of normal usage.
How can I utilize UserSpice alongside cookies/sessions/hashes in a way that will allow me to accomplish that?
|
|
|
|
| single and Mass Message |
|
Posted by: alexuco - 05-26-2018, 11:06 PM - Forum: UserSpice 4.3 and Below
- Replies (2)
|
|
Hi again!
When Admin sends Mass Message or single message, the users receive a mail with swapped 'person'. I mean for exemple, if all users are Admin, Sam and Dan then Sam will receive a mail saying " Hello Admin, You have a new message from Sam!" and Dan the same but with his name as a 'sender'.
|
|
|
|
| reset password |
|
Posted by: alexuco - 05-26-2018, 10:28 PM - Forum: UserSpice 4.3 and Below
- Replies (1)
|
|
Hi everyone!
Today I've noticed that when Admin reset an user password checking to send him/her a mail to notify that, the link from that mail is always throwing the message 'Oops...something went wrong, maybe an old reset link you clicked on. Click below to try again' and even when user after that reset manually and send again mail it happens the same.
Maybe it happens because I'm under mamp localhost ?
Any idea what it is about?
thanks.
|
|
|
|
|
