issue with URL protection

10 years 6 months ago #100281 by dhge
URL-based protection protection only seems to work if an "&Itemid=#" is appended to the URL that is being accessed from the browser.

I have tried this with a few different components, and I am able to bypass, logged in or not, any restrictions placed on their functions by copying the location's link, pasting it into the address bar, and removing its Itemid. This is just like the security problem that always existed in Joomla's core when setting a menu item to registered and still being able to access the component by changing the URL the same way.

I thought enabling SEF URLs might be a workaround, but non-SEF URLs are still functional in Joomla 1.5 even when SEF mode is enabled.


Component-based restrictions seem to be working fine, however.
10 years 6 months ago #100317 by nant
Try adding both URL with item and without to URL list.
10 years 6 months ago #100318 by dhge
Hi, thanks for the response. For Mosets Tree, I tried adding every combination (at the same time) of the URL that I'm trying to restrict, so the URL box now looks like this:

option=com_mtree&task=viewlink
option=com_mtree&task=viewlink&Itemid=15
option=com_mtree&task=viewlink&link_id=3
option=com_mtree&task=viewlink&link_id=3&Itemid=15

(I don't actually want to restrict "task=viewlink" on its own, this is just for demonstration)


But I can still access the item by navigating to

http://mysite/index.php?option=com_mtree&task=viewlink&link_id=3

Whenever the links are creating by the component, they are appended with the itemid, so the security works on all of the links on my page. I'm just worried about savvy users recognizing the link, taking out its itemid, and getting free access. Blocking access to Mosets Tree as a component works for keeping the public out of all of these links (even if they try to modify the url) but if someone is a member of let's say a 'silver' plan that can access mosets tree but not all of its listings, they would be able to view 'gold' listings by removing the Itemid.

I guess for the most part it works, but I'd still always be worried about someone figuring this out.

Perhaps there is a way to code security into the component itself to reject any URL that doesn't contain an Itemid?
10 years 6 months ago #100384 by krileon
Please be aware that if you're a moderator no subscription will restrict your access. This is likely the case. Logout before attempting to view the restricted link. Also check to ensure the bot is published and up to date.

Build your links from the base up. If you want to limit say link 3 then just put: option=com_mtree&task=viewlink&link_id=3. As you've already done. Do not include itemid as it will only restrict what link you've given.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Templates - CBSubs - Hosting - Forge - Incubator - GroupJive
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM EST to 4:00 PM EST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
10 years 6 months ago #100407 by dhge
Thanks for the suggestions krileon, but I'm definitely not logged in (able to reproduce this from a browser with no cache or cookies) and the bot is definitely published. I've tried adding the url to my plan with the itemid, without the itemid, and both with and without it.

Could someone try to reproduce this issue on their own site? Restrict any function of any component and then navigate to it without an Itemid in the URL. For example, restrict option=com_mtree&task=viewlink under any plan and then navigate to http://yoursite/index.php?
option=com_mtree&task=viewlink while not logged in. On my site, I am able to view that link even though it is restricted.

Otherwise it's difficult to say whether this is a problem with my setup or a bug.
10 years 6 months ago #100437 by 3cellhosting
Hi dhge,

I too am having a problem with a component and url protection. Phil Taylor's Knowledgebase is set to allow some articles to be public and others to for registered users.

With CB Subs we have bronze, silver and gold users, all designated as registered. In order to prevent bronze users having access to the full knowledgebase I added the following partial url to the silver and gold plans...

option=com_kb&task=article&article=326

In fact the list comprises over 300 links!

Bronze users still can access all of the Knowledgebase.

If you find a solution please let me know.

Regards

David

David
www.3cellhosting.com - where personality, creativity and integrity come as standard.
Moderators: beatnantkrileon
Time to create page: 0.454 seconds
Facebook Twitter Google LinkedIn