Restricting Viewer Access to Logged In Users in 2.53

Hi Jerry,

The most likely cause is that the page has already sent the headers in the newer version CMSB for some reason, and so can't change the header to send the page to a new location.

Try changing your code to this:

<?php
  if (!defined('START_SESSION')) { define('START_SESSION', true); }
  require_once "/path_to_your/cmsAdmin/lib/viewer_functions.php";
  if (!@$_SESSION['username']) { 
    redirectBrowserToUrl("http://mydomain.com/cmsAdmin/admin.php?redirectUrl=" . $_SERVER['REQUEST_URI']);
    exit; 
  }
?>

The redirectBrowerToUrl function detects if the page headers have already been sent, and uses HTML or JavaScript to redirect the browser instead if required.

Let me know if this doesn't work.

Thanks!

Greg

Sorry Greg,

With the code you recommended (below) I get the same error.

The protected page is http://elleschorrphotography.com/publicity.php

If I'm lot logged in, the URL is http://elleschorrphotography.com/cmsAdmin/admin.php?redirectUrl=/publicity.php and I get redirected to the login page.

The URL that comes up after login is still http://elleschorrphotography.com/cmsAdmin/admin.php?redirectUrl=/publicity.php but I get the same error as before.

I've tried a few sites with the same result.

Jerry

<?php
 
 if (!defined('START_SESSION')) { define('START_SESSION', true); }
  // load viewer library
  $libraryPath = 'cmsAdmin/lib/viewer_functions.php';
  $dirsToCheck = array('/hsphere/local/home/a887307/elleschorrphotography.com/','','../','../../','../../../');
  foreach ($dirsToCheck as $dir) { if (@include_once("$dir$libraryPath")) { break; }}
  if (!function_exists('getRecords')) { die("Couldn't load viewer library, check filepath in sourcecode."); }
  if (!@$_SESSION['username']) {
    redirectBrowserToUrl("http://elleschorrphotography.com/cmsAdmin/admin.php?redirectUrl=" . $_SERVER['REQUEST_URI']);
    exit; }
?>

Hi Jerry,

Are you still having issues with the page redirecting on some browsers?

I hadn't noticed earlier, but CMS Builder empties out the $_SESSION array and stores all user data in $CURRENT_USER for security reasons. So to detect if a user is logged in or not I would do this:

   if (!defined('START_SESSION')) { define('START_SESSION', true); }
  // load viewer library
  $libraryPath = 'cmsAdmin/lib/viewer_functions.php';
  $dirsToCheck = array('/hsphere/local/home/a887307/elleschorrphotography.com/','','../','../../','../../../');
  foreach ($dirsToCheck as $dir) { if (@include_once("$dir$libraryPath")) { break; }}
  if (!function_exists('getRecords')) { die("Couldn't load viewer library, check filepath in sourcecode."); }
  if (!@$CURRENT_USER['num']){ 
    redirectBrowserToUrl("http://elleschorrphotography.com/cmsAdmin/admin.php?redirectUrl=" . $_SERVER['REQUEST_URI']);
    exit;
  }

So as the $CURRENT_USER['num'] is a field that can't be changed, I've used it to detect if a user is logged in or not. 

Thanks!

Greg

Hi Greg,

Sorry, but That didn't change anything. the result is identical.

I thought $CURRENT_USER was only valid when using the membership plugin. I guess not.

Jerry

Hi Greg,

Any new insights on this?

Jerry Kornbluth

Thanks Djulia,

I'm not using website membership on these sites

I'll keep that in mind though.

Jerry Kornbluth

Hi Jerry, 

Sorry for a delay in the reply. 

I've just discovered there is a new function you can use to get the current CMS user, and it works if you don't have the website membership plugin:

  //Get the current CMS users details
  $CMS_USER = getCurrentUserFromCMS(); 
  
  //redirect the browser if no user is currently logged into the back end
  if (!@$CMS_USER['num']){ 
    redirectBrowserToUrl("http://elleschorrphotography.com/cmsAdmin/admin.php?redirectUrl=" . $_SERVER['REQUEST_URI']);
    exit;
  }


So the getCurrentUserFromCMS function returns an array that looks similar to the $CURRENT_USER array, but contains the CMS users information. 

Thanks!

Greg

Hi Greg,

Thanks for discovering that. It seems to work.

One more question...

When I try to restrict access to admins by changing !@$CMS_USER ['num'] to !@$CMS_USER ['isAdmin'], if I log in as an admin the redirect works as it's supposed to, but if I log in as a non Admin it crashes with the same error as before.

Any thoughts?

Thanks,

Jerry Kornbluth