WebsiteBaker Community Forum

WebsiteBaker Support (2.8.x) => Droplets & Snippets => Topic started by: SnapDaddy on April 07, 2014, 09:37:11 PM

Title: How to check if user is authenticated to access script
Post by: SnapDaddy on April 07, 2014, 09:37:11 PM

Greetings All,

I have a custom php script that will download a file outside of web root to prevent direct URL access to that file.

My Question: What code should I add to my download script to only allow access to users in a particular user group or groups?

Thanks!  :-D

Title: Re: How to check if user is authenticated to access script
Post by: Ruud on April 07, 2014, 11:12:04 PM

You can try checking the $_SESSION['groups'] data that should have a list of the assigned groups for the current user.

Another option is to use the Gallery module (http://addon.WebsiteBaker.org/pages/en/browse-add-ons.php?id=0291C731) and put it in a page available to one or more groups.

Title: Re: How to check if user is authenticated to access script
Post by: SnapDaddy on April 07, 2014, 11:33:28 PM

Thanks Ruud,

I'm using Download Gallery 2 now. Even though I have the page to the DLG set to registered, you can still access the files directly via URL because they need to be within the media folder. I don't want to use .htaccess for obvious reasons. I want to use WB's registered users / groups.
 
Will the Gallery module you suggested allow non-direct access to the files?

Essentially, I'm needed to protect documents (PDF, doc, xls, etc.) that have our dealer / dist pricing and make them only accessible by registered dealers / dist in their respective groups.  :wink:

Title: Re: How to check if user is authenticated to access script
Post by: SnapDaddy on April 08, 2014, 12:02:07 AM

Ruud,

Just followed the link to the developer's page. It's a newer version of the same download gallery I'm already using. Unfortunately, It doesn't state if it supports files located outside of web root (public_html).

For now, my only option would be to continue down the path with a custom script that will download file outside of root and make sure I can limit access to script by user / group.

If anyone else has other suggestions, that would be helpful!  :-D

Title: Re: How to check if user is authenticated to access script
Post by: Ruud on April 08, 2014, 10:19:31 AM

If your script is included in WB someway (like using include() in a code page) you should be able to use the session variables of WB.

Code: [Select]

$_SESSION['USER_ID'];
$_SESSION['USERNAME'];
$_SESSION['GROUPS_ID'];  //(comma seperated list of assigned groups)

If your script has to run external only you can try to hook in the WB session by setting the session_name that WB uses. (different for each installation, something like "wb_nnnn_session_id" ) All browsers currently have some debugging info (press F12) where you can find the session cookie name.

These few lines will show the assigned session variables.

Code: [Select]

<?php 
session_name('wb_9210_session_id');
session_start();
var_dump($_SESSION);
?>If you see the assigned session variables you should be able to use it in your script this way.

Title: Re: How to check if user is authenticated to access script
Post by: CaptainRob on April 09, 2014, 12:09:48 PM

Hello SnapDaddy,

To secure files in your media directory, you can use the script mentioned in this thread:

http://www.WebsiteBaker.org/forum/index.php/topic,17482.0.html

Greetings,
Rob

Title: Re: How to check if user is authenticated to access script
Post by: benos on May 09, 2014, 03:01:04 PM

Hello,

I have exactly  the same problem.

Does any one can re-explain simply the final solution, if any works?

Thanks a lot for your help...