How? Disable access to 'My Collections' page to Guests

[resourcer]

Hello.

What is a good way to prevent access to the 'My Collections' page to user groups e.g. Guests?

Thanks.

[Tom Gleason]

give the group permission "b" to remove collections functionality.

--
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To view this discussion on the web visit https://groups.google.com/d/msg/resourcespace/-/FKwVE4tePLwJ.
To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.

--
Tom Gleason, PHP Developer

ResourceSpace Support Services
https://www.buildadam.com

[resourcer]

Thanks for your reply, Tom.

I already have the 'b' permission set and 'My Collections' does not show in the footer.

Additional problems are:

1) the link '> Select Collection' when entering via Public Collections opens that My Collections page that was suppressed in the footer frame to open as a full page! 

2) from there, Anonymous users have access to create a new collection;

3) they have access to the My Collections page that allows not only the newly-created collection to be edited, but the My Collection for that entire user group! 

4) In addition, the 'Request all' link is available to send requests even though the 'q' permission says that is not allowed ('Can make resource requests' checkbox is unchecked).

I want the Anonymous users to see the list of Public Collections and view their contents and not have the ability to make changes to anything.


Thanks.

[resourcer]

Hello again.

Adding one more item:

Anonymous users can also DELETE the Collection they just created or that created by another Anonymous user.

That's not good.

(see Bug report# 0000127)

[resourcer]

Hello again.

[to fix a possible BUG - plugs a back door access hole]

Here is my preliminary solution that closes the backdoor for Anonymous users to gain access to collections functionality since the permissions in System Setup => Group Management has not been able to do it completely:

1) Create a custom permission e.g. AU (anonymous user or Guest)
2) Add if (checkperm("AU")) {exit ("Permission denied.");} to the following files:

• collection_manage.php
• collection_request.php
• collections.php

3) To prevent the viewing of the 'Select Collection' URL ( Public Collection -> [click a collection] -> > Selection Collection )

• a) Create a plugin for the Collections hook: 'prechangecollection'
• b) Add if (checkperm("AU")) {exit ("Permission denied.");}

NOTE: So far, I don't think checkperm() is needed for collection_log.php nor collection_feedback.php

Also, I hope a future upgrade will consider this as these restrictions may be wanted for additional usergroups and doing it manually like this is not efficient.


Hope this helps someone besides me.  :)

[Tom Gleason]

do you have collections_compact_style on?

Thanks.

--

You received this message because you are subscribed to the Google Groups "ResourceSpace" group.

To view this discussion on the web visit https://groups.google.com/d/msg/resourcespace/-/_FNkw5_lOPQJ.

To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.

[resourcer]

Hi Tom.

$collections_compact_style=false;

[Tom Gleason]

Are you on a current version?

There is no "select collection" in my public collections page.

But, there is one if using the compact selector. I've never used the compact selector with the "b" permission before, so thanks for pointing that out.

On Thu, Jul 21, 2011 at 1:44 PM, resourcer <stay...@hotmail.com> wrote:

Hi Tom.

$collections_compact_style=false;

--
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.

To view this discussion on the web visit https://groups.google.com/d/msg/resourcespace/-/iwPbGXq6AtIJ.

To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.

[resourcer]

Hi Tom.

[Tom Gleason]

I see, it has to do with the search titles. That shouldn't be there.
I committed this fix:
http://svn.montala.net/websvn/revision.php?repname=ResourceSpace&path=%2F&rev=2847&peg=2847

And I'll fix the compact style selector soon.

On Thu, Jul 21, 2011 at 1:56 PM, resourcer <stay...@hotmail.com> wrote:

Hi Tom.

Public Collection -> [click a collection] -> > Selection Collection

--

You received this message because you are subscribed to the Google Groups "ResourceSpace" group.

To view this discussion on the web visit https://groups.google.com/d/msg/resourcespace/-/sVrELhBGfaAJ.

To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.

[resourcer]

Hi Tom.

It's good to see that I wasn't seeing things... :)

Q: What will that fix exactly?

Q: Will it also prevent direct access via URLs to:

• collection_manage.php
• collection_request.php
• collections.php

Currently, Anonymous users (Guests) can reach these pages via their URL if they know they exist.  That is why I added the 'checkperm()' condition to each of these files.

I also want to add more user groups when applicable, to restrict direct access to these files, yet providing access to Public Collection (but would like to have option to ban people from it, too).

Thanks.

[Tom Gleason]

I'll consider this...it's a good point, but the solution is probably simply to put a check for !checkperm("b") at the top of those pages.

--
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.

To view this discussion on the web visit https://groups.google.com/d/msg/resourcespace/-/s7mX5iXkqzAJ.

To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.

[resourcer]

Thanks so much for your assistance!

Also, see Bug report# 0000127

[Tom Gleason]

http://svn.montala.net/websvn/revision.php?repname=ResourceSpace&path=%2F&rev=2848&peg=2848

On Thu, Jul 21, 2011 at 2:24 PM, resourcer <stay...@hotmail.com> wrote:

Thanks so much for your assistance!

Also, see Bug report# 0000127

--

You received this message because you are subscribed to the Google Groups "ResourceSpace" group.

To view this discussion on the web visit https://groups.google.com/d/msg/resourcespace/-/sKEzuNoNK5cJ.

To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.

[resourcer]

Thanks, Tom.

Possibly consider placing a hook at the beginning of those 3 pages but below the 'authenticate.php' include file line.  That way, it gives us the flexibility to decide by group or user who has access to each page on its own merit.

Thanks again.