Search…

X3 Photo Gallery Support Forums

Search…
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

X3 Beta V0.11 [Password protected pages]

08 Jun 2015, 18:38

X3 Beta V0.11
[Password Protected Pages]
Apart from fixing a few minor bugs [1,2,3,4], this update is all about password-protected pages in X3. I wish new features like this did not take so long, but when we add something, we want to do it properly.

Upgrade Instructions
You need to update ALL files from the latest X3 release, except your /content/ folder as usual. Also, remember to make backup of your /panel/config.php so you can keep it (panel/config.php has not changed in this release, so you can ignore it). There is a new file in root called "protect.php", which needs to be writeable from the panel. Also, we have upgraded CSS and JS files (on the CDN) to 0.11.

PS! The protect section contains some demo links and users by default, which may be removed once you understand the concept.

Usage
There is a new "Protect" section in the admin panel, which allows you to password-protect links. I will give some examples with screenshots instead of writing too much.

To protect a specific link, just select it in the link-dropdown list, and add a username and password:
Image

Recursive Protection
Link protection is recursive, which means the login for a specific link will inherit upon child pages. The example above will automatically protect the specified page galleries/ as well as any child pages like galleries/food/ and galleries/landscape/. If you are protecting child-pages of already-protected parent-pages, the child-page login will outrank the parent-page login.

You could also ignore username and only set the password, but generally this is not recommended:
Image

Users
Instead of adding a simple username and password, you can add "users" who can access the page:
Image

Users are added from the "users" tab ...
Image

Benefits of "Users"
The benefit of "users", is that you can assign a single login to a person, which may allow them access to multiple protected pages without re-entering login credentials. Also, it is sometimes easier to store username and password in a users section for persistent usage. If you have basic protection requirements, there is however nothing wrong with ignoring users, and just adding a username and password for a specific link.

You can have both "users" and "username + password", although I don't see any logical reason why you would want that:
Image

You can also group multiple links in the same entry, which could be beneficial in some cases:
Image

Just keep in mind, since protected links are recursive, the following would NOT be logical:
Image
In the above, you are basically protecting pages /galleries/food/ and /galleries/style/ which are already protected by the same login with /galleries/.

Global Protection
Use the special *Global link to protect your entire X3 website. Basically this is like protecting the / root page, and since link-protection is recursive, it will protect ALL pages and basically your entire website.
Image

In the event where you have multiple entries that may recursively affect the same links, the child-most link will count first.
Image
In the example above, when accessing link /galleries/food/, only "demouser1" will have access since it is the child-link branch. This allows you to for example create a protected-area of galleries available to many users, while child pages may only be available to some users.

Super Users
There is a special user type we call "super users", which are basically allowed access to ALL password-protected pages without even being assigned. A super-user should normally be reserved for gallery-owners who just want to remember a single login that works on all password-protected pages. Create a super-user by simply appending an asterisk* behind the username.
Image
* Since super-users are allowed access to ALL password-protected pages, they do not show up in the list of available users to assign from the links tab.
* The asterisk* character is part of the username, and needs to be included when logging in.


NOTES


Sessions
X3 login uses WWW-Authenticate, which basically creates "sessions" in the browser that remembers the current authentication. This helps so the visitor doesn't need to re-authenticate, and it also allows a "user" to access all pages they are assigned to without having to enter login details more than once. This is a good thing of course, but since there is no "logout" for these sessions, it can make testing difficult from your browser since you may be logged in to a session already ...

Testing ...
Therefore, if you are testing your protected pages, you may need to use "New Incognito Window" (Google Chrome), or "New Private Window" (Safari, Firefox) for each test. These special windows do not inherit your browser sessions, so you can test properly. Just remember to to open/close the window for each test, because even private windows have temporary sessions until they are closed.

Open_Basedir :(
I am not quite sure yet, but I am guessing there will be problems with passwords feature for those who are forced on servers with open_basedir restriction. Why? Because these open_basedir settings seem to prevent PHP from being able to write to PHP files, which is necessary when editing logins from the panel.

How secure is it?
Unless your FTP or panel is compromised, it is secure. Nobody can access an X3 page unless they know the login. One important thing to keep in mind though, is that Auth password-protection is part of the X3 application, and basically protects pages that belong to X3. It cannot protect any custom folders/pages/files on your server that do not belong to X3. This does in fact include images in your X3 content folder, although realistically speaking, they are already protected by X3 pages.

No encryption on stored passwords?
For practical reasons, we have decided to not store passwords encrypted. Why? First of all, because it provides no benefit in terms of security ... If someone manages to locate the passwords, it is because they broke into your server FTP or panel somehow, in which case they can easily set their own passwords anyway. Furthermore, the passwords stored are for viewing pages and don't provide any capabilities to change anything anyway. Finally, it makes sense to have the panel "protect" section available to look up on usernames and passwords ... It would be very tedious with a "reset password" system which provides no additional security.

Why are logins not set directly from pages in the panel page-manager?
For technical reasons, link logins are stored separately from pages, in a single file protect.php. There are many reasons for this, but the main reason is that an X3-page includes a create-and-cache process, which we want to avoid just for authenticating. Instead, logins are stored in a single file, and X3 acts as a "router", intercepting URL's with login before the page gets processed. Also, even if we did store logins with the page data, we would still need to store "users" in a separate location. In the future, it may be possible to edit logins for a page directly from the panel page manager.

A few more things ...
# Protected pages are for obvious reasons NOT preloaded, if you are using the X3 preload feature.
# You cannot have multiple identical link entries because the link is the key used to check associated users/username/password.
# You cannot have multiple identical usernames, because the username is the key that identifies the login attempt.
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 07:54

Fixed a minor bug where X3 preload site was not excluding recursive pages.

Just update the following file if you already upgraded to 0.11:
/app/page-data.inc.php
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 09:15

Also, it seems some of you were served an older X3 beta version from the download link. This is because it was cached on our Cloudflare CDN, as I forgot to flush the cache. If you did not see the new "protect" section in the panel and/or was not served latest v0.11 version, please try to download again!

I have fixed it now so that future releases will never get cached on the CDN and stale versions will not get served.
 
winph
Experienced
Posts: 236
Joined: 19 Jul 2008, 09:07

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 09:58

I notice that there is ? after the domain name.

e.g. www.domainname.com/?/journal/

whats the purpose of the "?" ? not that im complaining or against it. im just wondering.
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 10:20

winph wrote:I notice that there is ? after the domain name.
Sounds like your upgrade went wrong ... Did you miss the .htaccess file in root perhaps?
 
winph
Experienced
Posts: 236
Joined: 19 Jul 2008, 09:07

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 13:17

mjau-mjau wrote:
winph wrote:I notice that there is ? after the domain name.
Sounds like your upgrade went wrong ... Did you miss the .htaccess file in root perhaps?
oops :P my bad. forgot to rename the .htaccess file
 
User avatar
sprocket
Experienced
Posts: 98
Joined: 19 Dec 2008, 00:40

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 15:02

Updated files and receive the following on site entry
Code
Parse error: syntax error, unexpected '[' in /home/.../x3/app/auth.inc.php on line 16
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 17:49

sprocket wrote:
Code
Parse error: syntax error, unexpected '[' in /home/.../x3/app/auth.inc.php on line 16
Hmm sounds like PHP 5.3. Any chance I can get FTP to try and fix?
 
User avatar
sprocket
Experienced
Posts: 98
Joined: 19 Dec 2008, 00:40

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 17:51

You should have a PM from me on June 2 with all my vitals. Do you need me to resend?
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 18:02

sprocket wrote:You should have a PM from me on June 2 with all my vitals. Do you need me to resend?
Ok before anything else, please try to simply replace this file /panel/auth.inc.php
 
User avatar
sprocket
Experienced
Posts: 98
Joined: 19 Dec 2008, 00:40

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 18:06

Same error different file
Code
Parse error: syntax error, unexpected '[' in /home/.../x3/app/page-data.inc.php on line 96
 
User avatar
mjau-mjau
X3 Wizard
Topic Author
Posts: 11337
Joined: 30 Sep 2006, 07:37

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 18:40

sprocket wrote:Same error different file
Ok, well that probably means the fix worked at least. Please replace the following two files:
app/page-data.inc.php
app/stacey.inc.php

Thanks.
 
User avatar
sprocket
Experienced
Posts: 98
Joined: 19 Dec 2008, 00:40

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 19:25

mjau-mjau wrote: Ok, well that probably means the fix worked at least. Please replace the following two files:
app/page-data.inc.php
app/stacey.inc.php
Thanks.
The site started, but the menu shaded area now has the following warnings:
Code
Warning: Invalid argument supplied for foreach() in .../x3/app/stacey.inc.php on line 131
Warning: uksort() expects parameter 1 to be array, null given in .../x3/app/stacey.inc.php on line 144
Warning: Cannot modify header information - headers already sent by (output started at .../x3/app/stacey.inc.php:131) in .../x3/app/stacey.inc.php on line 66
Warning: Cannot modify header information - headers already sent by (output started at .../x3/app/stacey.inc.php:131) in .../x3/app/stacey.inc.php on line 89
Warning: Cannot modify header information - headers already sent by (output started at .../x3/app/stacey.inc.php:131) in .../x3/app/stacey.inc.php on line 71
And the menu titles have been pushed down the page onto the opening slideshow. It would probably be fine if these warnings were gone.
 
User avatar
gaitt
Experienced
Posts: 46
Joined: 21 Nov 2010, 17:48

Re: X3 Beta V0.11 [Password protected pages]

09 Jun 2015, 21:01

It works fine for me!! :)

But still not really cover my needs. I'm wondering if it's easy to integrate an IP filtering or something like that.
Basically, I'm protecting the GLOBAL site and I would like to protect it only if the a user IP is not in a white-list of IP (don't really know if this kind of protection method is secure :?: ).

In my X2 setup, I've made this to work with a custom .htaccess:
Code
AuthUserFile /path/to/the/.htpasswd
AuthName "Private area"
AuthType Basic
Require valid-user
order deny,allow

allow from XX.XXX.XX.XX
allow from YY.YYY.YY.YYY

deny from all
Satisfy any
I have try to mix this code with the X3 .htaccess, but can't get it to work.
Any idea?
 
localhost
Experienced
Posts: 156
Joined: 20 Sep 2011, 11:09

Re: X3 Beta V0.11 [Password protected pages]

10 Jun 2015, 11:16

Wonderful Karl... I'm loving it even more.

Just installed the latest 0.11 and so far everything is working great no issues at all.

If there's one thing I would like to ask.... Do you have plan to incorporate the login system on the page itself and not on a new window?

Sample attached:

Current -
1.PNG
1.PNG (6.76 KiB) Viewed 9286 times
Possible Replacement -
2.PNG
2.PNG (112.48 KiB) Viewed 9286 times
I know you are taking feature one at a time. I just thought it looks more professional to look at.