securing a site directory from all but registered users?

Regular Joined: Nov 29, 2006 Posts: 64 Location: TN, USA

Hi all,
I hope this doesn't sound too confusing but...

I have some directories that are outside my nuke installation directory that I would like to bar from anyone EXCEPT the registered users of my nuke site.

I was checking out Raven's posting:http://www.ravenphpscripts.com/postt9904.html and I've used .htaccess before, in small ways, but is there any way to have it access the user:pass info of the registered users of the site without my having to enter the user:pass of each registered user into a .staccess file or having my registered users re-enter thier user names:passwords when the try to gain access to these protected directories?

What would be perfect is if the registered user could simply click the link and enter, but the non-member gets stopped and asked for a user:pass (blocked).

Any ideas/help would be much appriciated!

Posted: Sat Mar 22, 2008 10:15 am

Perhaps I should rephrase this question.

Is it possible to use .htaccess to 'deny from all' except a web address?
For example, from the contents page of my site?
Something like: [ Only registered users can see links on this board! Get registered or login! ]

I could then use the site user permissions to deny access to non-registered users.

Thanks!

Posted: Sat Mar 22, 2008 12:16 pm

mercman, I am no Apache expert, so it would take way too much time for me to research, so I am not sure it can be done the way you want in your first post.

However, you might be able to use something like NukeWrap to wrap the content in and just make the NukeWrap module only accessible to registered users. Now, this is not foolproof if your links can be "guessed".

Another way would be to write something like NukeWrap, but without the frames, and you could read the content using native PHP file read commands and then display the output back to the browser. Using this approach, you could first do a is_user($user) check to see if they are a logged in user.

Sorry, no easy answers as I suspect you will need something slightly custom.

Posted: Sat Mar 22, 2008 1:30 pm

montego,
Thanks you for your suggestions.
I'm currently doing more research on .htaccess and I'll definately be looking into NukeWrap.

The reason I'm asking all this, is I'm trying to create another website.
This site would be a very secure social networking site specifically for family and friends with no access to forums, news items, topics, etc. for non-registered users.
Registration would require admin approval, of course (this is what makes this new RN distro {I'll add the approve membership module} so exciting for me).
I'd want to do all I could to protect family pictures, etc. from outside eyes.

Thanks again for your suggestions.

Posted: Sat Mar 22, 2008 9:12 pm

Well montego, this does the trick:

I have a folder on the site (dir1) which contains two sub-folders (dir2 & dir3).
I want to protect everything, except one html file in dir3 (I want my registered users to see it, but no one else).
So I rename the html file in dir3 anything but "index.html" - I like to use alphanumeric file names to make it a little harder to "guess".
Then I make a custom .htaccess file like this:

Code:




Options +FollowSymlinks


RewriteEngine On


RewriteCond %{REQUEST_FILENAME} !myrenamedfile.html$

and place it in dir1. Now anyone attempting to access these folders gets a "403- Forbidden" error, unless they just happen to figure out what the name of that html file is in dir3 (which seems a very remote possibility to me).

Now I go into the AP of my site and set the 'Content' module to 'Registered Users Only', activate it and create a new page in an iframe that links directly to the renamed html file; like this:

Code:




<iframe SRC="http://mywebsite/dir1/dir3/myrenamedfile.html" FRAMEBORDER=0 /></iframe>

Works like a charm.
Is it 100% secure? Nope. But it should be at least six-sigma. Smile

Posted: Mon Mar 24, 2008 5:08 am

Hey, glad its working for you.

"six-sigma": that hits a little too "home" with my work... Wink

EDIT: I just realized that without the right context, that statement sounds pretty arrogant. I am not meaning the work that I produce! Laughing

I am talking about my work's six-sigma program.

Posted: Mon Mar 24, 2008 4:11 pm

WHAT?!?!?!
You mean your coding isn't six-sigma?!?!? Shocked

LOL Just kidding!
You and the crew here make some great stuff!

BTW - I think 'View Source' could be the bane of my existence. Rolling Eyes

Posted: Mon Mar 24, 2008 9:53 pm

mercman wrote:

You mean your coding isn't six-sigma?!?!?

Far from it I am afraid... Laughing

Regular Joined: Mar 13, 2008 Posts: 68

I have a similar point well it maybe related..

Is there a way to make only registered users be ble to view the full extended news and topics?

I have topics as reg users in the admin but as I have news in the home its to all visitors?

P

Posted: Tue Mar 25, 2008 3:33 pm

pdfx,
A non-registered user may be able to see the 'Topics' link in the modules block, but as long as you have Topics set to 'Registered Users Only' in the AP, all they see is "You are trying to access a restricted area."

Posted: Tue Mar 25, 2008 7:19 pm

You can also keep a module from showing up in the modules block with one switch within the modules administration.

Posted: Wed Mar 26, 2008 2:36 am

Yeah hello, thanks for the answer but i think you slightly misunderstand or i didnt make it that clear.

In my admin i have topics to reg users only thats all fine. But as I have news set to visible in home the article content i have added all becomes visible to all visitors which seems to be standard. I would like to still have the story text in the home but all the articles and extended text of a article for registered users, is that possible..

Thanks again P

Posted: Wed Mar 26, 2008 7:26 pm

Not without hacking code... at least not what I can think of anyways.