- Forums
- Support and Presales
- Professional Members Support
- [SOLVED] CB Subs - Direct URL access to protected member area
[SOLVED] CB Subs - Direct URL access to protected member area
- edjec
- OFFLINE
-
Premium Member
- Posts: 139
- Thanks: 12
- Karma: 3
Add-ons
Add-ons
1 year 3 months ago - 1 year 3 months ago #332339
by edjec
[SOLVED] CB Subs - Direct URL access to protected member area was created by edjec
A non-profit client recently had an issue where a non-member accessed the VirtueMart area and purchased an item for sale only to members. Access is blocked from this area by CB Subs plans and subscriptions. Or so we thought. After searching server access logs, I discovered this person came to the item innocently enough through a google published back door – the direct URL to the VM item, which then gave access to the cart and check-out.
Shouldn’t CB Subs prevent direct URL access to listed components? Menu access to the VM area is restricted to registered, but as we’ve discovered, anyone can access this area. We’ve been running CB Subs on this site for the last twelve years, and I don’t recall this ever being an issue. What might I be missing or is this typical?
Thanks,
Ed
J 3.10.11Latest CB/CB Subs
Shouldn’t CB Subs prevent direct URL access to listed components? Menu access to the VM area is restricted to registered, but as we’ve discovered, anyone can access this area. We’ve been running CB Subs on this site for the last twelve years, and I don’t recall this ever being an issue. What might I be missing or is this typical?
Thanks,
Ed
J 3.10.11Latest CB/CB Subs
Last edit: 1 year 3 months ago by krileon. Reason: Added [SOLVED] tag to subject
Please Log in to join the conversation.
krileon
Team Member- OFFLINE
- Posts: 68492
- Thanks: 9080
- Karma: 1434
1 year 3 months ago #332350
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic CB Subs - Direct URL access to protected member area
How are you protecting access specifically? CBSubs By URL Part protection? Menu item? ACL (usergroup or view access level)?
Menu item protection only protects access to that specific menu item. Meaning Joomla has to tell us that menu item is being accessed. Don't use that for critical systems as Itemid isn't mandatory in URLs.
By URL Part protection only protects the specific URL parts that you provide. The direct URL to a VM item may not be matching the URLs you've configured and you'll need to add them.
The best protection is ACL. So for example set the access to your item to require a specific usergroup or view access level. Then use CBSubs usergroup parameter to give them the usergroup they need to access that item.
Menu item protection only protects access to that specific menu item. Meaning Joomla has to tell us that menu item is being accessed. Don't use that for critical systems as Itemid isn't mandatory in URLs.
By URL Part protection only protects the specific URL parts that you provide. The direct URL to a VM item may not be matching the URLs you've configured and you'll need to add them.
The best protection is ACL. So for example set the access to your item to require a specific usergroup or view access level. Then use CBSubs usergroup parameter to give them the usergroup they need to access that item.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
The following user(s) said Thank You: edjec
Please Log in to join the conversation.
- edjec
- OFFLINE
-
Premium Member
- Posts: 139
- Thanks: 12
- Karma: 3
Add-ons
Add-ons
1 year 3 months ago - 1 year 3 months ago #332368
by edjec
Replied by edjec on topic CB Subs - Direct URL access to protected member area
Apparently, I was using only menu protection. I was not able to find a way to apply ACL to VM’s individual items or categories for front-end access restriction but was successful in blocking direct URL access from within each CB Subs Plan’s component and module integration. Tests now redirect any direct URL attempts to the registration page.
Is this a solid fix or might there be other issues caused by this remedy?
Thanks for the poke in the right direction, Kyle!
Ed
Is this a solid fix or might there be other issues caused by this remedy?
Thanks for the poke in the right direction, Kyle!
Ed
Last edit: 1 year 3 months ago by edjec.
Please Log in to join the conversation.
- krileon
- Team Member
- OFFLINE
- Posts: 68492
- Thanks: 9080
- Karma: 1434
1 year 3 months ago #332387
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic CB Subs - Direct URL access to protected member area
That should fix your issue then as By URL Part protection will completely take control over that URL and prevent access if it matches one of the URL Part rules supplied. Only issue I could see is if there's more than 1 completely different URL for accessing that page in which case you'd need to supply By URL Part rules for both URLs.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Please Log in to join the conversation.
- edjec
- OFFLINE
-
Premium Member
- Posts: 139
- Thanks: 12
- Karma: 3
Add-ons
Add-ons
1 year 3 months ago #332403
by edjec
Replied by edjec on topic CB Subs - Direct URL access to protected member area
This is a pretty standard VM application, so I don't think there are any extraneous URLs to worry about.
Thanks again!
Ed
Thanks again!
Ed
The following user(s) said Thank You: krileon
Please Log in to join the conversation.
Moderators: beat, nant, krileon
- Forums
- Support and Presales
- Professional Members Support
- [SOLVED] CB Subs - Direct URL access to protected member area
Time to create page: 0.318 seconds
-
You are here:
- Home
- Forums
- Support and Presales
- Professional Members Support
- [SOLVED] CB Subs - Direct URL access to protected member area