Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Blocking access outside of preset menu options

I set up several menu options that use links to specific filtered views (my Filterdiscussion plugin). But users still can override the url manually and enter urls like forum/discussions to access unfiltered views.

  1. How do I prevent access to such urls even though the menu options I set look like: forum/discussions/Filterbyprefix/&filter=Support
  2. How do I remove the existing Discussions and Categories menu options

Thanks in advance for your help.

Tagged:

Best Answers

  • hgtonighthgtonight MVP
    Answer ✓

    @rbrahmson said:

    @hgtonight said:
    You can change the discussion filter menu by overriding the view. You could also use CSS to hide the menu items.

    And I read the above to mean that there is no way to add the extra "filter" parameter to the Discussions and Categories URLs and therefore I need to override the views. Any sample plugin.or hooks or direction on how to do that?

    Can I also deduce that while I can use a plugin to add menu options to the menu bar, I cannot remove the default menu options? If I can, can you offer some hints?

    You can easily add discussion filters because the view provides an event to spit out your code. If you want to remove core content, you either prevent the appropriate code from running (via event arguments), override the view, or hide the elements via CSS.

    There are no event arguments that will skip those menu items, so that is a no go.

    You can override the view by copying /applications/vanilla/views/modules/discussionfilter.php to your custom theme and modifying it.

    CSS is the easiest way:

    #Panel .FilterMenu .AllCategories,
    #Panel .FilterMenu .Discussions {
      display: none;
    }
    

    You will still need to prevent the viewing of those pages (categories and discussions) via a plugin hook.

    public function categoriesController_render_before($sender) {
      // check for edge cases in the future
      $sender->permission('This.Does.Not.Exist');
    }
    
    public function discussionsController_render_before($sender) {
      // check for discussion filter view properly
      $discussionFilterView = true;
      if(!$discussionFilterView) {
        $sender->permission('This.Does.Not.Exist');
      }
    }
    

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

Answers

  • Obfuscation is no security.

    To prevent viewing things within Garden, you need to perform a permission check. Every controller has the permission method. Also, there is a checkPermission that can be useful for in page modification of output. Compare the following examples:

    public function profileController_render_before($sender) {
      $sender->permission('This.Is.Permission');
      echo 'This will only be shown to a user with This.Is.Permission permission. Everyone else gets the default permission required page.';
    }
    

    If the user does not have the permission, they are automatically redirected to the default permission page.

    public function profileController_render_before($sender) {
      if(checkPermission('This.Is.Permission')) {
        echo 'You are a super administrator. With great power comes great responsibility.';
      }
      else {
        echo 'You are a scrub.';
      }
    }
    

    The user sees different content even though the entirety of the page is rendered.

    One final note about permissions is that a super admin will always pass all permission and restriction checks, regardless of their role.

    As far as removing the Discussions and Categories options, where are you looking to remove them?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • rbrahmsonrbrahmson ✭✭✭

    THanks @hgtonight, perhaps I was not clear. I fully concur that obfuscation is no security.

    1. The plugin (FilterDiscussion) filters discussions based on url parameter keywords (the keyword parameters are defined in the configuration setup and they tell the plugin how to perform the filtering. The plugin does use the permission model). But the url parameter can be removed, bypassing the filtering. A typical filter url looks like forum/discussions/Filterdiscussion&!filter=Noted
    2. The main forum site (home) has the two menu options (Discussions and Categories). I know how to ADD menu options, but how do I remove menu options from the menu bar?
    3. I also realize that the breadcrumbs also contain links to the unfiltered discussion list

    Perhaps I need another hook for this plugin that ensures it is called even without the url parameters specified and then have a user or role based default filter? Not sure this is the right way though.

  • If you are allowing free form filters, you need to do some sanity checking and sanitize the input. Part of that is using sensible defaults.

    You can change the discussion filter menu by overriding the view. You could also use CSS to hide the menu items.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • rbrahmsonrbrahmson ✭✭✭

    @hgtonight said:
    If you are allowing free form filters, you need to do some sanity checking and sanitize the input. Part of that is using sensible defaults.

    >

    So I read the above as saying that I should use defaults when parameters are missing. I thought so.

    You can change the discussion filter menu by overriding the view. You could also use CSS to hide the menu items.

    And I read the above to mean that there is no way to add the extra "filter" parameter to the Discussions and Categories URLs and therefore I need to override the views. Any sample plugin.or hooks or direction on how to do that?

    Can I also deduce that while I can use a plugin to add menu options to the menu bar, I cannot remove the default menu options? If I can, can you offer some hints?

  • hgtonighthgtonight MVP
    Answer ✓

    @rbrahmson said:

    @hgtonight said:
    You can change the discussion filter menu by overriding the view. You could also use CSS to hide the menu items.

    And I read the above to mean that there is no way to add the extra "filter" parameter to the Discussions and Categories URLs and therefore I need to override the views. Any sample plugin.or hooks or direction on how to do that?

    Can I also deduce that while I can use a plugin to add menu options to the menu bar, I cannot remove the default menu options? If I can, can you offer some hints?

    You can easily add discussion filters because the view provides an event to spit out your code. If you want to remove core content, you either prevent the appropriate code from running (via event arguments), override the view, or hide the elements via CSS.

    There are no event arguments that will skip those menu items, so that is a no go.

    You can override the view by copying /applications/vanilla/views/modules/discussionfilter.php to your custom theme and modifying it.

    CSS is the easiest way:

    #Panel .FilterMenu .AllCategories,
    #Panel .FilterMenu .Discussions {
      display: none;
    }
    

    You will still need to prevent the viewing of those pages (categories and discussions) via a plugin hook.

    public function categoriesController_render_before($sender) {
      // check for edge cases in the future
      $sender->permission('This.Does.Not.Exist');
    }
    
    public function discussionsController_render_before($sender) {
      // check for discussion filter view properly
      $discussionFilterView = true;
      if(!$discussionFilterView) {
        $sender->permission('This.Does.Not.Exist');
      }
    }
    

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

Sign In or Register to comment.