| Author |
Message |
emmaphp
Worker
Joined: Aug 22, 2006
Posts: 192
|
 Posted:
Tue Dec 04, 2007 12:28 pm |
|
Hi All,
I have just installed a new website using RavenNuke Version 2.10.01.
I am new to the Groups and the Users Group/Points functions and after much time trying to find my way around the administration of these, I have made the following observations and have two fundamental questions.
Firstly it appears that out of the 2 functions, (Groups and the Users Group/Points) , if you create a Group, there is only 2 ways for a user to be added to a Group:
1. If the groups is Public for all to see, users can add themselves to that group, (unless the maximum number of users allowed in that group has been reached)
2. A user can be added (manually) by an administrator/moderator
Secondly, if you want users to be automatically added to a section of your website that is only viewable by users who have gained enough points, you must use the Points functions. You can either have users access an existing section of the PHP Nuke website when they have gained enough points or create your own Module and subsequently allocate the Module its own 'Users Group', (which you would also have set with a number of points the user requires in order to view the Module).
It appears that a Module belonging to the Users Group/Points facility will only show up in the Modules Block when the (registered) user has accumulated enough points to access that Module.
So these are the observations I have made and I would be grateful if someone could verify I have understood this all correctly.
Now for the 2 main questions...
1. Although it appears that a Module belonging to the Users Group/Points facility will only show up in the Modules Block when the (registered) user has accumulated enough points to access that Module, I am finding the following problem. If a registered user is signed into their account but does not have enough points to access a Module, but they know the exact URL of the Module they want to access, they can access the Module by typing the URL directly into their browser address bar. How do you prevent this because if you cannot then users can simply tell one another the URL and gain access without having the correct number of points etc?
2. If I create a new Module (say for example a Module that allows a user to click a link and watch a video from the You Tube website), how do you get PHP Nuke to recognise this and award the user some points for the action of clicking the button that is linked to the You Tube website? |
| |
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Tue Dec 04, 2007 1:01 pm |
|
1) Let me look into this a little bit and get back to you. I've never used the group points system, and I get the impression not a lot of others do either. It may be kind of half-baked. I would think that if implemented correctly, modules.php would see if the points system is turned on and check points before allowing access to a particular module. But maybe it isn't doing that.
2) The downloads and web links module do this kind of thing. When you click on a web link for example, it updates the hit count, awards points (probably), and then forwards the user (with a PHP header() function) to the remote resource. You could maybe glean examples from those two modules. |
_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module |
|
|
|
|
emmaphp
|
| Posted:
Tue Dec 04, 2007 1:06 pm |
|
Thanks for that reply Gremmie,
However while I appreciate the Points system is already intergrated with existing (System) Modules, the second question is more directed towards the issue if you have created your own Module and want a user to gain points for doing something within it, (such as clicking a link or button)? |
| |
|
|
|
|
Gremmie
|
| Posted:
Tue Dec 04, 2007 2:52 pm |
|
Your new module has to call a PHP-Nuke function, the name escapes me now (points() ?), in order to update the user's points. Again, see the web links or downloads modules, as I am almost certain they do that in there. I can look this up tonight.
If you can't wait till then, just look in the users table for a column called points or user_points or something like that. Then grep the code (start with mainfile.php) for that column name. That will lead you to the function your new module needs to call. |
| |
|
|
|
|
emmaphp
|
| Posted:
Tue Dec 04, 2007 3:03 pm |
|
Hi again Gremmie,
Thanks for your further reply.
I am not really up on php code and usually I author a Module using HTML and subsequently convert this using one of the online PHPNuke Module creators.
However, that said, I think you are suggesting that I simply have a look at an existing module that has the Points System associated with it, (such as Downloads), and simply replicate the code within it, relating to this. Is that correct?
Also, some more information on the 1st question/issue I raised would be very much appreciated. To clarify, this was as follows:
Although it appears that a Module belonging to the Users Group/Points facility will only show up in the Modules Block when the (registered) user has accumulated enough points to access that Module, I am finding the following problem. If a registered user is signed into their account but does not have enough points to access a Module, but they know the exact URL of the Module they want to access, they can access the Module by typing the URL directly into their browser address bar. How do you prevent this because if you cannot then users can simply tell one another the URL and gain access without having the correct number of points etc?
Thanks again.
(I wonder if Raven is aware of this and has any information, comments or fixes?) |
| |
|
|
|
|
Gremmie
|
| Posted:
Tue Dec 04, 2007 3:55 pm |
|
Emmaphp, I was going to address that question later. It will require studying the modules.php code. What modules.php should probably do is check the users points before allowing access to a module. That would prevent your users from passing around exact URL's. But I have a hunch that modules.php is not doing that because the points system in Nuke is kind of a half baked feature (IMHO). |
| |
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
| Posted:
Tue Dec 04, 2007 4:10 pm |
|
Sorry to jump in Gremmie.
Emmaphp, I've just set one of my modules to Groups Only and when I try to access it by entering the URL I get the message 'You are trying to access a restricted area'.
Are you still logged as admin when you are trying this? |
| |
|
|
|
|
emmaphp
|
| Posted:
Tue Dec 04, 2007 4:24 pm |
|
Hi Jakec,
Thanks for taking the time to respond to my posting.
However, to clarify, I am not having issues when I assign a Module to a Group.
As explained in detail, the problem exists when I try to assign a Module to the Users Group/Points facility. It will only show up in the Modules Block when the (registered) user has accumulated enough points to access that Module, but I am finding that if a registered user is signed into their account but does not have enough points to access a Module and they know the exact URL of the Module they want to access, they can access the Module by typing the URL directly into their browser address bar.
To further clarify, I am referring to when you click on 'Edit' for a Module, you then can select the option to assign the Module to 'Users Group (Valid only if Registered Users are selected above)'.
I trust this eliminates any confusion.
Further responses would be greatly appreciated in order to eliminate this apparent 'security issue'. |
| |
|
|
|
|
jakec
|
| Posted:
Tue Dec 04, 2007 4:49 pm |
|
OK, I can see the problem now, thank you for clarifying.
What I will do is log an issue on our internal bugtracker and we can then look at this in more detail. |
| |
|
|
|
|
emmaphp
|
| Posted:
Tue Dec 04, 2007 4:57 pm |
|
Hi again Jakec,
Thanks for your last response.
You know when I find such issues there are always the 2 angles to look at the situation.
Firstly, I can think/hope, 'It must be something I have done wrong, because someone out of the many thousands using this website and Nuke would have already noticed such an 'obvious' issue'. This way of thinking also means the fix will be simple/already available etc.
OR
Secondly, (when I learn there is an issue and others can see it/verify it), I can think 'My posting has not be a waste of time and has helped to make other peoples sites more secure etc. The only problem here with the issue never being realised/noticed before, is that the fix will not always be fast in coming.
So to clarify this ultimate point we have reached, you are agreeing with me that there is an issue?
Thanks in advance for your next reply to this. |
| |
|
|
|
|
jakec
|
| Posted:
Tue Dec 04, 2007 5:15 pm |
|
Unfortunately as Gremmie said I don't think many people use this feature at the moment, as it doesn't really make your site anymore secure, because anybody can make a few posts and then gain access, although it may deter the casual spammer. |
| |
|
|
|
|
emmaphp
|
| Posted:
Tue Dec 04, 2007 6:05 pm |
|
Hi again everyone,
I do see jakec's point about people 'Spamming' in order to gain points from a website and the Points system.
However, my website will be asking for people to make 'News Submissions' and in return they will receive points. Moreover, I will only allow Registered Users to use any Module that awards points and in this way 'Spamming' should be eliminated, or at the very least reduced significantly.
The added reason this should work is that users will gain rewards/prizes for reaching a certain number of points, but they will be notified via email or a registered telephone number from their account details. Again for this reason and the fact they will not be anonymous to admin, they should refrain from 'Spamming' etc |
| |
|
|
|
|
Gremmie
|
| Posted:
Tue Dec 04, 2007 6:56 pm |
|
emmaphp,
First of all, the function I was thinking of is called update_points(). A module author would use it to give points to users. However you can't easily create a new point "reason". It seems you have to use the ones setup in the admin/panel already. They are hardcoded.
Second, I think you are confusing the point system with NSN groups. Which is not hard to do! This is a very poorly documented part of Nuke. I can find nothing in Nuke that grants access to modules based on how many points you have. I find the whole thing half-baked and worthless. I think users can accumulate points by doing certain things on the site, but at this time there is nothing in the core PHP-Nuke code that grants access to modules based on points. The only purpose right now for points is to hide modules in the modules block, as you discovered.
Now we could tighten that up in the next version of RavenNuke, but I'm not really sure there is a demand for such a feature. But if you would like to request such a feature we could add it to our issue tracker and mull it over.
Please note you can however limit module access to NSN groups. If you have assigned a NSN group to a module, an ordinary user not in that NSN group cannot access it, even if he/she types the exact URL. That is probably the preferred way (at least right now) to handle your goals. |
| |
|
|
|
|
Gremmie
|
| Posted:
Tue Dec 04, 2007 6:59 pm |
|
And just to clarify, when I say "NSN Groups", I am talking about the "Edit Groups" button in the admin panel. |
| |
|
|
|
|
emmaphp
|
| Posted:
Tue Dec 04, 2007 7:24 pm |
|
Hi again Gremmie,
Yo will see from my original posting that I was not confusing the 2 issues here and was aware of the functionality of the NSN Groups option.
To confirm, I did write (and requested confirmation I had understood this correctly):
Firstly it appears that out of the 2 functions, (Groups and the Users Group/Points) , if you create a Group, there is only 2 ways for a user to be added to a Group:
1. If the groups is Public for all to see, users can add themselves to that group, (unless the maximum number of users allowed in that group has been reached)
2. A user can be added (manually) by an administrator/moderator
I think you will understand from my last posting why I feel the Points system is a useful/important function.
Thanks for your assistance so far with this.
I look forward to seeing some developments with the matter etc. |
| |
|
|
|
|
Gremmie
|
| Posted:
Tue Dec 04, 2007 8:21 pm |
|
We are talking about creating a much more coherent and useful group system for a future CMS. That would probably be a ways off.
In the meantime, one could probably hack the functionality you seek into Nuke by modifying code in modules.php. There are checks right now for NSN groups. You could also add checks for points in the same spot. |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Tue Dec 04, 2007 8:32 pm |
|
| emmaphp wrote: | Firstly it appears that out of the 2 functions, (Groups and the Users Group/Points) , if you create a Group, there is only 2 ways for a user to be added to a Group:
1. If the groups is Public for all to see, users can add themselves to that group, (unless the maximum number of users allowed in that group has been reached)
2. A user can be added (manually) by an administrator/moderator
|
The groups you are referring to in the above statement are definitely NSN Groups only (the "Edit Groups"). So, that is confirmed, AND, these have nothing to do with User Group/Points, so, also confirmed.
| Quote: | | I think you will understand from my last posting why I feel the Points system is a useful/important function. |
The point that was being made is that, yes, maybe you find the points system useful, but I can honestly say that this has probably been a bug in nuke since the inception of the points system and everyone has pretty much written off the feature as useless. JMO.
You will not find too many nuke programmers all that interested in fixing up the points system code I am afraid... |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
Gremmie
|
| Posted:
Tue Dec 04, 2007 8:52 pm |
|
Wow it actually looks like Nuke is attempting to use the point system in modules.php to decide access, but it is botched! (Surprise!)
Notice this check:
Code:
} elseif($view == 1 AND ((isset($user) AND (is_user($user) OR is_group($user, $name))) OR (isset($admin) AND is_admin($admin)))) {
include_once($modpath);
|
The is_group($user, $name) is the function that checks the points.
What should happen here is that the above should be fixed, and then add another else if above that one:
"if admin OR (if this module has a point based user group assigned to it, and isset($user) and is_user($user) and in_group($user, $name)), then allow access". |
| |
|
|
|
|
Gremmie
|
| Posted:
Wed Dec 05, 2007 7:56 am |
|
emmaphp, I'll try to come up with a fix for this. Do you want to help test it? |
| |
|
|
|
|
emmaphp
|
| Posted:
Wed Dec 05, 2007 8:02 am |
|
Hi Gremmie,
From your last 2 postings is sounds as though a fix for this isnt 'rocket science' and isn't going to take too long etc. Is that correct?
As for testing, I am not sure what is involved, other than to implement the/any fixed files to my installation and make sure the Points system does work without any issues/flaws? If that is so, I do not see why I should not test this. |
| |
|
|
|
|
Gremmie
|
| Posted:
Sat Dec 08, 2007 2:44 pm |
|
I have a fix for this in our revision control system for the next release of RavenNuke. emmaphp, if you would like to test this, please PM me an email address and I can send you the changes. Thanks. |
| |
|
|
|
|
emmaphp
|
| Posted:
Sun Dec 09, 2007 6:51 pm |
|
Hi everyone,
There was initially 2 issues raised by myself in this topic.
Subsequent to all the previous postings on this topic, Gremmie and I continued corresponding through Private Messages to resolve the following one of the two initial questions raised:
1. Although it appears that a Module belonging to the Users Group/Points facility will only show up in the Modules Block when the (registered) user has accumulated enough points to access that Module, I am finding the following problem. If a registered user is signed into their account but does not have enough points to access a Module, but they know the exact URL of the Module they want to access, they can access the Module by typing the URL directly into their browser address bar. How do you prevent this because if you cannot then users can simply tell one another the URL and gain access without having the correct number of points etc?
The resolution was to change some code in the modules.php file in the RavenNuke Version 2.10.01 download package/software.
If you are experiencing the same problem and wish to change the code in the modules.php file in your package/software, the new code is as follows:
Code:<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/* */
/************************************************************************/
/********************************************************/
/* NSN Groups */
/* By: NukeScripts Network (webmaster@nukescripts.net) */
/* http://www.nukescripts.net */
/* Copyright © 2000-2005 by NukeScripts Network */
/********************************************************/
/************************************************************************/
/* Additional code clean-up, performance enhancements, and W3C and */
/* XHTML compliance fixes by Raven and Montego. */
/************************************************************************/
define('MODULE_FILE', true);
require_once('mainfile.php');
$module = 1;
$name = trim($name);
if(!isset($file)) { $file='index'; }
if(isset($name)) {
if(eregi('http\:\/\/', $name)) { die('Hi and Bye'); }
if(eregi('http\:\/\/', $file)) { die('Hi and Bye'); }
$modstring = strtolower($_SERVER['QUERY_STRING']);
if(stripos_clone($modstring,'&user=') AND ($name=='Private_Messages' || $name=='Forums' || $name=='Members_List')) header('Location: index.php');
global $nukeuser, $db, $prefix;
$nukeuser = base64_decode($user);
$nukeuser = addslashes($nukeuser);
$result = $db->sql_query('SELECT * FROM `'.$prefix.'_modules` WHERE `title`=\''.$name.'\'');
$row = $db->sql_fetchrow($result);
$mod_active = intval($row['active']);
$view = intval($row['view']);
$groups = $row['groups'];
$mod_group = intval($row['mod_group']);
if(($mod_active == 1) OR (isset($admin) AND is_admin($admin))) {
if(!isset($mop)) { $mop='modload'; }
if(!isset($file)) { $file='index'; }
if(ereg('\.\.',$name) || ereg('\.\.',$file) || ereg('\.\.',$mop)) {
$pagetitle = '- '._SOCOOL;
include_once('header.php');
OpenTable();
echo '<center><b>'._SOCOOL.'</b></center><br />';
echo '<center>'._GOBACK.'</center>';
CloseTable();
include_once('footer.php');
die();
} else {
$ThemeSel = get_theme();
if(file_exists('themes/'.$ThemeSel.'/modules/'.$name.'/'.$file.'.php')) {
$modpath = 'themes/'.$ThemeSel.'/';
} else {
$modpath = '';
}
$modpath .= 'modules/'.$name.'/'.$file.'.php';
if(file_exists($modpath)) {
// The module's $view describes the accessibility of the module:
// 0 - All Visitors
// 1 - Registered Users Only
// 2 - Administrators Only
// 3 - Paid Subscribers Only
// 4 - NSN Groups Only
// *Note: Admins can see all access levels.
// *Note for the Users Group/Points system: If a module is set to Registered Users Only, but has a non-zero
// mod_group value, then the module is only available to those users who have enough points to be in that
// Users Group.
$canView = ($view == 0) || // all visitors
($view == 1 && isset($user) && // registered user and
($mod_group <= 0 || is_group($user, $name))) || // (no points needed OR user has points)
(isset($admin) && is_admin($admin)) || // is admin
($view == 3 && paid()) || // paid subscriber
($view >= 4 && in_groups($groups)); // NSN Groups user
if ($canView) {
include_once($modpath);
} else {
$pagetitle = '- '._RESTRICTEDAREA;
include_once('header.php');
OpenTable();
echo '<center><b>'._RESTRICTEDAREA.'</b></center><br />';
echo '<center>'._GOBACK.'</center>';
CloseTable();
include_once('footer.php');
die();
}
} else {
$pagetitle = '- '._FILENOTFOUND;
include_once('header.php');
OpenTable();
echo '<center><b>'._FILENOTFOUND.'</b></center><br />';
echo '<center>'._GOBACK.'</center>';
CloseTable();
include_once('footer.php');
die ();
}
}
} else {
$pagetitle = '- '._MODULENOTACTIVE;
include_once('header.php');
OpenTable();
echo '<center>'._MODULENOTACTIVE.'</center><br />';
echo '<center>'._GOBACK.'</center>';
CloseTable();
include_once('footer.php');
die ();
}
} else {
$pagetitle = '- '._MODULENOTFOUND;
include_once('header.php');
OpenTable();
echo '<center>'._MODULENOTFOUND.'</center><br />';
echo '<center>'._GOBACK.'</center>';
CloseTable();
include_once('footer.php');
die ();
}
if(!function_exists('stripos_clone')) {
function stripos_clone($haystack, $needle, $offset=0) {
return strpos(strtoupper($haystack), strtoupper($needle), $offset);
}
}
?>
|
|
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
