Admin only access to articles. Is this secure?

Get help with installation and running phpwcms here. Please do not post bug reports or feature requests here.
Post Reply
Peekay
Posts: 286
Joined: Sun 25. Jul 2004, 23:24
Location: UK

Admin only access to articles. Is this secure?

Post by Peekay »

Can someone pick holes in this.

I have a client whose present website is controlled by a custom data entry form and a PHP script. The form is accessed with a username and password via an 'admin' page.

I am trying to replicate this scenario using PHPWCMS 1.2.3 and wondered if the following method will ensure that only the client has access to the form.

1) I created a category called 'scripts'
2) I gave the category the alias 'scripts'.
3) I selected 'Hide' (from main menu) and 'Visible for users logged on only'
4) I addded an article to this category with the entry form and PHP script and created the custom tables in the database.

When I log in to the backend I can open this page and use the form. If I am not logged in, I cannot see the page. This is exactly what I want, but I am concerned that there may be a loophole somewhere.

Comments from anyone who can see a problem (or a better way) would be welcome. :)
Top
jsavage
Posts: 44
Joined: Sun 2. May 2004, 18:40

Post by jsavage »

I haven't checked recently but there was a vulnerability involving the rss feed displaying content that was otherwise not visible. You could always remove the rss.php script if this is the case but worth being aware of and checking.

James
Top
Peekay
Posts: 286
Joined: Sun 25. Jul 2004, 23:24
Location: UK

Post by Peekay »

Thx for that info jsavage. I'll check that out.

I'm sure the 'visible only if logged in' feature never worked in earlier versions of PHPWCMS (apologies if I'm wrong about that). It will be nice if it can be utilised to create pages visible to admin users only.
Top
User avatar
Oliver Georgi
Site Admin
Posts: 9919
Joined: Fri 3. Oct 2003, 22:22
Contact:
Contact Oliver Georgi

Post by Oliver Georgi »

"Visible for users logged on only" still not working at the moment. But you can uncheck "visible" and "public" - then you can edit articles and nobody not logged is able to see the article you are still working on...

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Top
goshen
Posts: 42
Joined: Mon 4. Oct 2004, 10:57
Location: Geelong, Australia
Contact:
Contact goshen

Post by goshen »

Indeed, I found that unchecking all 4 boxes (the two at the top, and at the bottom of a structure level) would hide the structure level, but as soon as you were logged in, they show up. This works fine, although i think you have to make each article "Non Public" too, or you can get to them through a direct link, for example if someone flukes the address, or you put a link elsewhere.
http://www.kitepower.com.au/news (phpWCMS v1.1)
http://www.gkhome.net (phpWCMS v1.21 DEV)
Top
User avatar
Oliver Georgi
Site Admin
Posts: 9919
Joined: Fri 3. Oct 2003, 22:22
Contact:
Contact Oliver Georgi

Post by Oliver Georgi »

structure hiding is just a visible question and has nothing to do with secure access...

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Top
Post Reply

Return to “phpwcms Support English”