Elxis CMS Forum
Extensions => Components => Topic started by: Amigamerlin on October 06, 2010, 22:23:38
-
Hello guys I need your help again.
I would like to know, if is possible, how to modify IOS download to hide the listing that are reserver to some user group.
Let me explain. Currently if I put a listing in the download center that should be available for administrator only the listing is shown to everyone with the indication " you have to register to download ..."
What I want is to hide the listing to all except to the users group where the listing is reserved (showing according the ACL).
When the user will be logged and he's of the right group the listing will shown.
Otherwise the listing is hided.
Anyone can help ?
Thank you.
Please Datahell can you provide this option a next release of IOS download ?
-
No one can help ?
Any suggestion?
Thank you
-
It is easy to do so but you have to modify IOS Downloads to multiple places.
File: components/com_downloads/downloads.php
line 194 change this:
$database->setQuery("SELECT size, downloads FROM #__downloads_files WHERE published='1'");
with this:
$database->setQuery("SELECT size, downloads FROM #__downloads_files WHERE published='1' AND access IN (".$my->allowed.")");
also add $my in function's global declarations globals: global $database, $downloader, $mainframe, $my;
line 213 change this:
."\n WHERE f.id='".$downloader->cfg->get('FPFEATURED')."' AND f.published='1'";
to this:
."\n WHERE f.id='".$downloader->cfg->get('FPFEATURED')."' AND f.published='1' AND f.access IN (".$my->allowed.")";
line 259 change this:
."\n WHERE f.published='1'".$andwhere
to this
."\n WHERE f.published='1' AND f.access IN (".$my->allowed.")".$andwhere
line 318 change this:
$database->setQuery("SELECT COUNT(id) FROM #__downloads_files WHERE cid='".$cat->cid."' AND published='1'");
to this:
$database->setQuery("SELECT COUNT(id) FROM #__downloads_files WHERE cid='".$cat->cid."' AND published='1' AND access IN (".$my->allowed.")");
also add $my in function's global declarations global $database, $downloader, $Itemid, $mainframe, $my;
line 323 change this:
."\n WHERE x.cid='".$cat->cid."' AND f.published='1'";
to this:
."\n WHERE x.cid='".$cat->cid."' AND f.published='1' AND f.access IN (".$my->allowed.")";
line 422 change this:
."\n WHERE d.id='".$id."' AND d.published='1'";
to this:
."\n WHERE d.id='".$id."' AND d.published='1' AND d.access IN (".$my->allowed.")";
line 588 change this:
."\n WHERE f.userid='".$userid."'".$andwhere
to this:
."\n WHERE f.userid='".$userid."' AND f.access IN (".$my->allowed.")".$andwhere
line 707 change this:
."\n WHERE f.published='1'"
to this:
."\n WHERE f.published='1' AND f.access IN (".$my->allowed.")"
line 1312 change this:
."\n WHERE f.published='1'"
to this:
."\n WHERE f.published='1' AND f.access IN (".$my->allowed.")"
do the same as above (add access check) at lines: 446, 529, 647
-
Fantastic as always !!! .
Datahell, can you provide this as configuration option in the next release of IOS download ?
IMHO can be a great thing.
Ciao
-
Ciao Datahell I've done the modification but it seems not work as expected.
Maybe i've done something wrong anyway:
SCENARIO
I build 2 categories - BOT - TEMPLATE
I put inside BOT a file called private.zip and assigned it to Administrator group
After I put inside BOT a file called public.zip assigned to Public Frontend
Well the BOT categories count 2 files and when I go to click on Bot I can see the two files (private files is not hided). If I click on private file it say me "invalid listing".
Probably I've done something wrong. Can you help me fix it ?
Thank you
-
I will write once more how Elxis' ACL system works. It is extremely simple.
Access check in database queries
$my->allowed is a string full of digits separated by commas and it is never empty. Example: 29,24,18,25
These are the groups the user/visitor is allowed to see/access.
If an element's (i.e. an article) access is described by a database field named access then the value of this field is the minimum group* the user should belong to in order to access the element. Example: 29
Now, to check if the user has access to an element we must add this in the SQL query:
... AND access IN (".$my->allowed.")
which, in our example, is translated to : ... AND 29 IN (29,24,18,25)
We see that the number 29 is in the "29,24,18,25" set, so the user is allowed to see that element.
An other example:
... AND 21 IN (29,24,18,25)
result: the user is not allowed to see this element as "21" does not belong in set "29,24,18,25".
* Not arithmetically (as for mambo and joomla)! Access check like this $my->gid >= X is extremely wrong in Elxis!
$my->allowed generation
$my->allowed value is generated automatically by Elxis based on your ACL tree and the user's group. This value is generated for anyone, even for the guests as in Elxis everyone belongs to a user group, even the guests. Elxis will go to the site's hierarchy ACL tree and add in an array all the group ids the user is allowed to access. Afterwards it will implode the array to a comma separated string. This will be the value of $my->allowed.
Alternative access check.
We can alternatively check access with PHP. In that case we wont add anything in the SQL query but we will get the "access" field value to check it later via PHP.
First we need to convert the $my->allowed string to an array by exploding it (or with preg_split):
$allowed_groups = explode(',', $my->allowed);
$allowed_groups will be an array like this: array(29, 24, 18, 25);
Now, we must check if element's access is in this array:
if (in_array($row->access, $allowed_groups)) {
//the user is allowed to access the element
} else {
//the user is not allowed to access the element
}
Elxis' access system is extremely secure as the user has no interaction with it.
-
Ciao Datahell,
I'm far far away to fully and complete understand what you write :-[ .
Sorry but is not my job :(
If you have the time, can you write me the solution and where to apply it ?.
Thank you in advance.
-
Well the BOT categories count 2 files and when I go to click on Bot I can see the two files (private files is not hided). If I click on private file it say me "invalid listing".
You need apply the access IN (".$my->allowed.") also to complex query strings where you find #__downloads_cats and #__downloads_files
example:
if ($downloader->cfg->get('FPFEATURED')) {
$query = "SELECT f.id, f.cid, f.title, f.dialect1, f.dialect2, f.dialect3, f.description, f.dialdesc1, f.dialdesc2, f.dialdesc3,"
."\n f.version, f.size, f.hits, f.downloads, f.image, f.timemodified, c.seotitle"
."\n FROM #__downloads_files f "
."\n LEFT JOIN #__downloads_cats c ON c.cid = f.cid"
."\n WHERE f.id='".$downloader->cfg->get('FPFEATURED')."' AND f.published='1' AND f.access IN (".$my->allowed.") ";
-
Thank you speck I'll try
Ciao