Skip to Content Skip to Menu

🎃 Happy Halloween! Treat yourself with an awesome discount on memberships! Get 20% off now with code SPOOKY-2024!

[SOLVED] Protecting a profile with a password?

  • krileon
  • krileon
  • ONLINE
  • Posts: 48474
  • Thanks: 8281
  • Karma: 1443
11 years 1 week ago #235804 by krileon
Replied by krileon on topic Protecting a profile with a password?
Sorry, I guess I don't understand what you're trying to do then. When you set "User" to "User" all substitutions will be based off the viewing users profile data. If you want the viewing users and the profile users data then set "User to "User" and use [FIELD_NAME] for viewing users profile data and [var1_FIELD_NAME] for the displayed users profile data. My example below already checks to make sure the viewing user is not the displayed user.

www.joomlapolis.com/forum/153-professional-member-support/223141-protecting-a-profile-with-a-password?limitstart=0


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in or Create an account to join the conversation.

  • OldLodgeSkins
  • OldLodgeSkins
  • OFFLINE
  • Posts: 119
  • Thanks: 5
  • Karma: 2
  • Add-ons
10 years 11 months ago - 10 years 11 months ago #237571 by OldLodgeSkins
Replied by OldLodgeSkins on topic Protecting a profile with a password?
The solution just popped into my head, I'm sharing it here in case anyone else has the same need as myself...

The problem with the password "protection" method I was using initially (note the quotes) is that it's not secure - at all. The validation being made client-side, the actual password can be obtained by the visitor from the page's source. The validation obviously needs to be done server-side, so how do you get the visitor to submit his password - client-side - and then have it being validated server-side, using CB and Auto Actions?

The answer lies in the URL.

First you have a small piece of JS code in an Auto Action that collects the visitor's password, but does not do the validation. Instead, it reloads the exact same page, with one additional variable in the URL - the password submitted by the visitor.
Then once the page gets reloaded, another Auto Action, in PHP this time (so, server-side), checks for the presence of the variable in the URL. Then it validates it against the real password (preferably in the form of an MD5 hash, i.e. when the account's owner saves his display password you have an Auto Action set to store the MD5 hash of the password in the database and not the password itself).

And voilà... The validation is made server-side, neither the real password nor its hash are ever sent to the client.

I had the idea just minutes ago and haven't tried it yet but this should work. I was looking at solutions way too complicated when the real solution is finally quite simple...

Seb.

PS: How do you prevent people with JS disabled from by-passing it? With the noscript tag and a little bit of PHP, in your template's HTML header between <head> and </head>, like this:
Code:
function curPageURL() { $pageURL = 'http'; if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";} $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } return $pageURL; } if (strpos($currenturl,'my-account') !== false OR strpos($currenturl,'profile') !== false) { echo '<noscript> <meta http-equiv="Refresh" content="0; url=/index.php?option=com_content&&view=article&&id=30:javascript-is-disabled" /> </noscript>'; }

Of course here I am using "my-account" as alias for the profiles, this may be different in your case, so just adapt it.
Last edit: 10 years 11 months ago by OldLodgeSkins.

Please Log in or Create an account to join the conversation.

  • OldLodgeSkins
  • OldLodgeSkins
  • OFFLINE
  • Posts: 119
  • Thanks: 5
  • Karma: 2
  • Add-ons
10 years 11 months ago - 10 years 11 months ago #237697 by OldLodgeSkins
Replied by OldLodgeSkins on topic Protecting a profile with a password?
Alright, I'm nearly there... Except I'm having a difficulty validating the viewer password in PHP after it's been entered.

So far...

1) I've managed to encode the password directly with a query action, this was the most straightforward. So I now have an MD5 encoded string.
2) I've managed to create a JavaScript action to collect the password from the visitor and then redirect to the same URL with an additional variable in it (i.e. /my-account?htec=xxxx)
3) I'm stuck at the last step i'm wondering if my PHP (eval) code is being executed at all or maybe I just made a mistake in it... I'm trying to make it change the value of a field based on that variable, whether its md5 value is equal to the one stored in the database or not.

Both #2 and #3 are triggered on onBeforeUserProfileDisplay and have no conditions.
#2 does not execute if the string 'htec' is present in the URL.

Code for #3 (of course there are fields named cb_secretword and cb_access):
Code:
if(isset($_GET['htec'])) { // Compare with original $pass = md5($_GET['htec']); if($pass != $cb_secretword) { // password invalid, we change the profile type $cb_access = "noaccess"; } else { $cb_access = "welcome"; } }

I'm sure I'm close... What did I miss?

Thanks.

Seb.

PS: I thought of using a field action with a condition instead but then I can't get the value of a variable in the URL and calculate an MD5 sum, can I?
Last edit: 10 years 11 months ago by OldLodgeSkins.

Please Log in or Create an account to join the conversation.

  • krileon
  • krileon
  • ONLINE
  • Posts: 48474
  • Thanks: 8281
  • Karma: 1443
10 years 11 months ago #237709 by krileon
Replied by krileon on topic Protecting a profile with a password?

3) I'm stuck at the last step i'm wondering if my PHP (eval) code is being executed at all or maybe I just made a mistake in it... I'm trying to make it change the value of a field based on that variable, whether its md5 value is equal to the one stored in the database or not.

It's probably due to the IF check. You never declared $cb_secretword. Please always do implementation tests with Joomla debug mode enabled and error reporting set to maximum. If you don't you'll never know an error occurred.

Code:
if($pass != $cb_secretword)

Try the below.
Code:
if($pass != '[cb_secretword]')

This may cause the if check to properly pass/fail as needed, but your profile type change isn't going to do anything. You can't change a fields value like that.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in or Create an account to join the conversation.

  • OldLodgeSkins
  • OldLodgeSkins
  • OFFLINE
  • Posts: 119
  • Thanks: 5
  • Karma: 2
  • Add-ons
10 years 11 months ago - 10 years 11 months ago #237713 by OldLodgeSkins
Replied by OldLodgeSkins on topic Protecting a profile with a password?
I did have debug mode on and maximum error reporting while testing but couldn't find anything related to that particular action in the debug info.

If I can't change the field's value this way... Then how can I do?
Or could I simply redirect the visitor somewhere else if the condition fails? If I put an echo statement with some JS redirect in it will it be executed?
Edit: a simple header() in PHP may just do the trick...
Edit 2: I'm getting redirected alright but there must be something wrong with the condition as I'm always redirected. Still it proves it's now being executed... I'll try activating debug mode again.
Last edit: 10 years 11 months ago by OldLodgeSkins.

Please Log in or Create an account to join the conversation.

  • OldLodgeSkins
  • OldLodgeSkins
  • OFFLINE
  • Posts: 119
  • Thanks: 5
  • Karma: 2
  • Add-ons
10 years 11 months ago #237719 by OldLodgeSkins
Replied by OldLodgeSkins on topic Protecting a profile with a password?
Action's debug mode : on
Return: I tried echo, var_dump, print
System's error reporting: maximum
System's debug mode: on
Code:
if(isset($_GET['htec'])) { // Compare with original $pass = md5($_GET['htec']); if($pass != '[cb_secretword]') { // password invalid, we redirect //header('Location: index.php'); echo "invalid"; } }

Before commenting the redirection I was getting redirected so this is being executed. However I can't find anything in the debug information...
Is there any way I can make the variables to show, just to compare them?

Please Log in or Create an account to join the conversation.

Moderators: beatnantkrileon
Powered by Kunena Forum