Traq Project Forums / Traq 2.x / Discussion / Securing Traq (forcing user login)
Want to help Traq grow?

Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Securing Traq (forcing user login)
07-19-2010, 04:30 AM
Post: #1
carlt Offline
Junior Member
**
 		Posts: 5
Joined: Jul 2010
Reputation: 0
Securing Traq (forcing user login)
I want to hide Traq from everyone that isn't registered and would like to do it without a .htaccess file.

Figured if($user->loggedin) should be used somewhere? Could anyone point me in the right direction=
Find all posts by this user
Quote this message in a reply
07-19-2010, 07:02 PM (This post was last modified: 07-19-2010 07:04 PM by traqqer.)
Post: #2
traqqer Offline
Junior Member
**
 		Posts: 6
Joined: Aug 2009
Reputation: 0
RE: Securing Traq (forcing user login)
(07-19-2010 04:30 AM)carlt Wrote:  I want to hide Traq from everyone that isn't registered and would like to do it without a .htaccess file.

Figured if($user->loggedin) should be used somewhere? Could anyone point me in the right direction=

I just had a very quick look at the source code and I figure the flow is like this (I may be wrong)
Code:
index.php -> checking -> handlers -> checking -> processing -> template
So hiding could be done at one of the two checking points above.

(1)
In the handlers/newticket.php file, the first few lines are like this:
PHP Code:
// Check user permission
if(!$user->group['create_tickets'])
{
    $_SESSION['last_page'] = $uri->geturi();
    header("Location: ".$uri->anchor('user','login'));

This means that a user who is logged in but does not have permission, cannot navigate to the newticket.php page.

Your requirement is different, that being to test whether the user is registered or not and not show anything if he is not. So I think you will have to put user-check logic in this place.

You could make a global function in the inc/common.php or just write the same 2-3 lines in each of the handlers/something.php where you want to keep something.php visible only for logged in users.

(2) The other option is to check in index.php itself, even before control goes to the handlers. You have to simply redirect the client to the login page every time there is no user logged-in info.

Hope that helps, and do post your patch if it works :-)
-dave
Find all posts by this user
Quote this message in a reply
08-11-2010, 11:02 PM
Post: #3
carlt Offline
Junior Member
**
 		Posts: 5
Joined: Jul 2010
Reputation: 0
RE: Securing Traq (forcing user login)
Thanks for the very informative response!

I figured locking things down in index.php is the best way of doing it since every request is passed through it.

In index.php after this line (27):
Code:
require('inc/global.php');

Add these lines:
Code:
if(!$user->loggedin AND $_POST['action'] != 'login') {
    include(template('user/login'));
    exit;
}

When the if statement is TRUE the user gets the login page.

The first condition checks if the user is logged in. The second after the AND finds out if the user is trying to log in. If so then the request has to be allowed to reach users.php and not be redirected to the login page (which otherwise would have caused a loop making it impossible to login).

Since it's a POST action this should be secure. Had it been a GET action however the login screen would have been easy to bypass by simply adding ?action=login to the end of any URL.

I'm making no claims that this is completely secure. Use with caution.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Traq Project | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication