Sentinel HTTP Auth and Forums ACP?

Worker Joined: Aug 06, 2004 Posts: 192

Ok I know HTTP Auth protects admin.php so this link http://www.yoursite.com/admin. php?op=forums is protected. However is you goto to:

http://www.yoursite.com/modules/Forums/admin/index.php you bypass the HTTP Auth login box. Is there a way to have the same login box protect both files?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

A quick solution would be, if you have .htaccess, you could add theis code to the top of your .htaccess (This is the CGI Auth code)

Code:

# -------------------------------------------


# Start of NukeSentinel(tm) admin.php Auth


# -------------------------------------------


<Files .staccess>


  deny from all


</Files>





<Files modules/Forums/admin/index.php>


   <Limit GET POST PUT>


      require valid-user


   </Limit>


   AuthName "Restricted"


   AuthType Basic


   AuthUserFile /path/to/your/.staccess


</Files>

Then, you will need to set up your .staccess with valid user names and encrypted passwords. We should be able to get this into NukeSentinel where you won't need this, but this would be a quick fix. BTW, I haven't tested it so let me know if it works or not Wink

registered · Posted: Wed Dec 22, 2004 8:21 pm

On my test site i've done this:

Code:

# -------------------------------------------


# Start of NukeSentinel(tm) admin.php Auth


# -------------------------------------------


  <Files .staccess>


    deny from all


  </Files>


  <Files admin.php>


    <Limit GET POST PUT>


      require valid-user


    </Limit>


    AuthName "Restricted by NukeSentinel(tm)"


    AuthType Basic


    AuthUserFile /my/path/to/.staccess


  </Files>


  <Files modules/Forums/admin/index.php>


    <Limit GET POST PUT>


      require valid-user


    </Limit>


    AuthName "Restricted by NukeSentinel(tm)"


    AuthType Basic


    AuthUserFile /my/path/to/.staccess


  </Files>


# -------------------------------------------


# End of NukeSentinel(tm) admin.php Auth


# -------------------------------------------

However it's not bring up the forced login thru CGI Auth Sad

Posted: Wed Dec 22, 2004 9:13 pm

create a new .htaccess file for your modules/Forums/admin/ directory and add this:

Code:

# -------------------------------------------


# Start of NukeSentinel(tm) admin.php Auth


# -------------------------------------------


  <Files index.php>


    <Limit GET POST PUT>


      require valid-user


    </Limit>


    AuthName "Restricted by NukeSentinel(tm)"


    AuthType Basic


    AuthUserFile /path/to/your/.staccess


  </Files>


# -------------------------------------------


# End of NukeSentinel(tm) admin.php Auth


# -------------------------------------------

This requires that you have CGIAuth completely setup thru NukeSentinel on your site for this to work properly.

Posted: Thu Dec 23, 2004 12:58 pm

I don't use CGI Auth/.staccess I just use the .htaccess HTTP auth setting. Is there a way to do is using that or do I have to setup CGI Auth/.staccess? If so thats what I will do.

Posted: Tue Jan 25, 2005 12:40 pm

Raven or Bob,

Do you see a problem with doing this...

Open includes/sentinel.php and find:

Code:

if (basename($_SERVER['SCRIPT_NAME'], '.php')==$admin_file) {

and replace with this:

Code:

if ((basename($_SERVER['SCRIPT_NAME'], '.php')==$admin_file) OR ($_SERVER['SCRIPT_NAME'] == '/modules/Forums/admin/index.php')) {

It seems to work correctly for me and force the HTTP Auth when using a direct link to the forums ACP.

Posted: Tue Jan 25, 2005 3:56 pm

Doesn't seem to work when I tried it but whats new lol!
But this seems to work ok for me:
if ((basename($_SERVER['SCRIPT_NAME'], '.php')==$admin_file) OR (stripos_clone($_SERVER['REQUEST_URI'], '/modules/Forums/admin/'))) {

Posted: Tue Jan 25, 2005 6:09 pm

Giving this a little more thought just /admin would be pretty good too because it would catch any direct access to modules/modulename/admin too. I can't think of any conflicts off the top of my head.

Posted: Tue Jan 25, 2005 9:24 pm

It's good. I just put a separate CGIAuth in the admin folder.

Posted: Tue Jan 25, 2005 10:08 pm

This might be a dumb question but, whats the difference between $_SERVER['REQUEST_URI'] and $_SERVER['SCRIPT_NAME']?

Posted: Tue Jan 25, 2005 10:48 pm

I thought $_SERVER['QUERY_STRING'] and $_SERVER['REQUEST_URI'] are basically the full request string and the $_SERVER['SCRIPT_NAME'] and $_SERVER['PHP_SELF'] are the actual script file name. But I've been wrong before.

Posted: Wed Jan 26, 2005 1:29 am

See if this helps http://php.planetmirror.com/manual/en/reserved.variables.php

Posted: Wed Jan 26, 2005 7:45 am

Thanks guys. RavensScripts

So we could use something like this:

Code:

if ((basename($_SERVER['SCRIPT_NAME'], '.php')==$admin_file) OR (stripos_clone($_SERVER['REQUEST_URI'], '/admin'))) {

or this

Code:

if ((basename($_SERVER['SCRIPT_NAME'], '.php')==$admin_file) OR (stripos_clone($_SERVER['REQUEST_URI'], '/admin/'))) {

Which would be correct?

Posted: Mon Jan 31, 2005 10:18 am

I went with this but there is slightly more of a potential for conflict. But it activates when accessing urls like /modules.php?name=Your_Account&file=admin which I like very much.

Code:




if ((basename($_SERVER['SCRIPT_NAME'], '.php')==$admin_file) OR (stripos_clone($_SERVER['REQUEST_URI'], 'admin'))) {