Blocking access outside of preset menu options
I set up several menu options that use links to specific filtered views (my Filterdiscussion plugin). But users still can override the url manually and enter urls like forum/discussions to access unfiltered views.
- How do I prevent access to such urls even though the menu options I set look like: forum/discussions/Filterbyprefix/&filter=Support
- How do I remove the existing Discussions and Categories menu options
Thanks in advance for your help.
Best Answers
-
hgtonight MVP
@rbrahmson said:
@hgtonight said:
You can change the discussion filter menu by overriding the view. You could also use CSS to hide the menu items.And I read the above to mean that there is no way to add the extra "filter" parameter to the Discussions and Categories URLs and therefore I need to override the views. Any sample plugin.or hooks or direction on how to do that?
Can I also deduce that while I can use a plugin to add menu options to the menu bar, I cannot remove the default menu options? If I can, can you offer some hints?
You can easily add discussion filters because the view provides an event to spit out your code. If you want to remove core content, you either prevent the appropriate code from running (via event arguments), override the view, or hide the elements via CSS.
There are no event arguments that will skip those menu items, so that is a no go.
You can override the view by copying
/applications/vanilla/views/modules/discussionfilter.php
to your custom theme and modifying it.CSS is the easiest way:
#Panel .FilterMenu .AllCategories, #Panel .FilterMenu .Discussions { display: none; }
You will still need to prevent the viewing of those pages (categories and discussions) via a plugin hook.
public function categoriesController_render_before($sender) { // check for edge cases in the future $sender->permission('This.Does.Not.Exist'); } public function discussionsController_render_before($sender) { // check for discussion filter view properly $discussionFilterView = true; if(!$discussionFilterView) { $sender->permission('This.Does.Not.Exist'); } }
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
2
Answers
Obfuscation is no security.
To prevent viewing things within Garden, you need to perform a permission check. Every controller has the
permission
method. Also, there is acheckPermission
that can be useful for in page modification of output. Compare the following examples:If the user does not have the permission, they are automatically redirected to the default permission page.
The user sees different content even though the entirety of the page is rendered.
One final note about permissions is that a super admin will always pass all permission and restriction checks, regardless of their role.
As far as removing the Discussions and Categories options, where are you looking to remove them?
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
THanks @hgtonight, perhaps I was not clear. I fully concur that obfuscation is no security.
Perhaps I need another hook for this plugin that ensures it is called even without the url parameters specified and then have a user or role based default filter? Not sure this is the right way though.
If you are allowing free form filters, you need to do some sanity checking and sanitize the input. Part of that is using sensible defaults.
You can change the discussion filter menu by overriding the view. You could also use CSS to hide the menu items.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
>
So I read the above as saying that I should use defaults when parameters are missing. I thought so.
And I read the above to mean that there is no way to add the extra "filter" parameter to the Discussions and Categories URLs and therefore I need to override the views. Any sample plugin.or hooks or direction on how to do that?
Can I also deduce that while I can use a plugin to add menu options to the menu bar, I cannot remove the default menu options? If I can, can you offer some hints?
You can easily add discussion filters because the view provides an event to spit out your code. If you want to remove core content, you either prevent the appropriate code from running (via event arguments), override the view, or hide the elements via CSS.
There are no event arguments that will skip those menu items, so that is a no go.
You can override the view by copying
/applications/vanilla/views/modules/discussionfilter.php
to your custom theme and modifying it.CSS is the easiest way:
You will still need to prevent the viewing of those pages (categories and discussions) via a plugin hook.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Thanks for these great pointers!