Jump to content


Click here to lend your support to: Traq and make a donation at pledgie.com !
Photo

Securing Traq (forcing user login)


  • Please log in to reply
3 replies to this topic

#1 carlt

carlt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 18 July 2010 - 06:30 PM

I want to hide Traq from everyone that isn't registered and would like to do it without a .htaccess file.

Figured if($user->loggedin) should be used somewhere? Could anyone point me in the right direction=

#2 traqqer

traqqer

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 19 July 2010 - 09:02 AM

I want to hide Traq from everyone that isn't registered and would like to do it without a .htaccess file.

Figured if($user->loggedin) should be used somewhere? Could anyone point me in the right direction=


I just had a very quick look at the source code and I figure the flow is like this (I may be wrong)
index.php -> checking -> handlers -> checking -> processing -> template
So hiding could be done at one of the two checking points above.

(1)
In the handlers/newticket.php file, the first few lines are like this:
// Check user permission
if(!$user->group['create_tickets'])
{
$_SESSION['last_page'] = $uri->geturi();
header("Location: ".$uri->anchor('user','login'));
}

This means that a user who is logged in but does not have permission, cannot navigate to the newticket.php page.

Your requirement is different, that being to test whether the user is registered or not and not show anything if he is not. So I think you will have to put user-check logic in this place.

You could make a global function in the inc/common.php or just write the same 2-3 lines in each of the handlers/something.php where you want to keep something.php visible only for logged in users.

(2) The other option is to check in index.php itself, even before control goes to the handlers. You have to simply redirect the client to the login page every time there is no user logged-in info.

Hope that helps, and do post your patch if it works :-)
-dave

#3 carlt

carlt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 11 August 2010 - 01:02 PM

Thanks for the very informative response!

I figured locking things down in index.php is the best way of doing it since every request is passed through it.

In index.php after this line (27):
require('inc/global.php');

Add these lines:
if(!$user->loggedin AND $_POST['action'] != 'login') {
	include(template('user/login'));
	exit;
}

When the if statement is TRUE the user gets the login page.

The first condition checks if the user is logged in. The second after the AND finds out if the user is trying to log in. If so then the request has to be allowed to reach users.php and not be redirected to the login page (which otherwise would have caused a loop making it impossible to login).

Since it's a POST action this should be secure. Had it been a GET action however the login screen would have been easy to bypass by simply adding ?action=login to the end of any URL.

I'm making no claims that this is completely secure. Use with caution.

#4 uscher

uscher

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 10 November 2010 - 08:20 PM

Awesome, dude, your index.php hack is working just perfect, thanks for this :-)

How can this be realized:

I like to create user/group who can not access USERS, SETTINGS, PLUGINS pages (best will be that these pages are not visible to this group) But have to access to the rest like creating projects, milestones, tickets....

I found the ...traq\admincp\groups.php where the group-rights can be set for creating tickets and more. The table starts somwhere on line 96. Would it be an hassle to implement my wishes there ? (be nice to me, im php nerd :( )

This would make TRAQ perfect for our needs!!!
thnx in advance
uscher



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users