Restricting Viewer Access to Logged In Users in 2.53

@ Jerry,

I think I've found out what the problem is, it looks as if  your code is creating an infinite redirect loop. publicity.php is forwarding to the cmsAdmin area, then CMS Builder is detecting the redirectUrl variable in the URL, and redirecting back to publicity.php, which then redirects back to the CMS Admin area, etc. I would remove the redirectUrl variable from the publicity.php redirect:

  //Get the current CMS users details
  $CMS_USER = getCurrentUserFromCMS(); 
  
  //redirect the browser if no user is currently logged into the back end
  if (!@$CMS_USER['num']){ 
    redirectBrowserToUrl("http://elleschorrphotography.com/cmsAdmin/admin.php");
    exit;
  }

@Djulia,

I've done some quick testing in version 2.53. Have you got the WSM_SEPARATE_LOGIN global set to true in your website membership plugin? If not you can change it on line 33 of websiteMembership.php:

$GLOBALS['WSM_SEPARATE_LOGIN']            = true;         // set this to allow you to login to the website and CMS simultaneously as different users

The test code below should output the front end and CMS user array details:

<?php header('Content-type: text/html; charset=utf-8'); ?>
<?php
  /* STEP 1: LOAD RECORDS - Copy this PHP code block near the TOP of your page */
  
  // load viewer library
  $libraryPath = 'cmsAdmin/lib/viewer_functions.php';
  $dirsToCheck = array('C:/wamp/www/','','../','../../','../../../');
  foreach ($dirsToCheck as $dir) { if (@include_once("$dir$libraryPath")) { break; }}
  if (!function_exists('getRecords')) { die("Couldn't load viewer library, check filepath in sourcecode."); }


  $CMS_USER = getCurrentUserFromCMS(); 

  showme($CMS_USER);

  showme($CURRENT_USER);

Thanks!

Greg

Hi Greg,

Sorry that this is becoming so complex and time consuming.

I think we're getting further off base with my NON membership plugin issue. (Djulia had the membership plugin issue, and I'll follow up on that later)

The code you offered a few posts back:

//Get the current CMS users details
  $CMS_USER = getCurrentUserFromCMS();
 
  //redirect the browser if no user is currently logged into the back end
  if (!@$CMS_USER['num']){
    redirectBrowserToUrl("http://elleschorrphotography.com/cmsAdmin/admin.php?redirectUrl=" . $_SERVER['REQUEST_URI']);
    exit;
  }

Works fine.

It's only when I try to restrict to admins only, by changing

if (!@$CMS_USER['num'])

To

if (!@$CMS_USER['isAdmin'])

and then log in as a non-admin user that I get back into the loop issue. (logging in as an Admin works fine)

If I use your latest idea, the user is taken back into the back end which is not what I'm trying to do.

Hope that clarifies the problem.

Thanks,

Jerry Kornbluth

Hi Jerry,

Sorry, but I'm not 100% sure where you want non admin users to be taken if they don't have access to the page, should they be redirected to the admin area? Should people who aren't logged in also be redirected to the CMS area? If you're trying to send non admin users to the CMS area to log in, this should work:

  //Get the current CMS users details
  $CMS_USER = getCurrentUserFromCMS();
  //redirect the browser if no user is currently logged into the back end
  if (!@$CMS_USER['isAdmin']){
     redirectBrowserToUrl("http://elleschorrphotography.com/cmsAdmin/admin.php");
    exit;
  }

Thanks!

Greg

Hi Greg

It is perfect!

It is also independent of activation on False or True.

Thanks again!

Djulia

Hi Greg,

I see what you mean by your last question.

I have some pages that are open to anyone who can login as a user, but some that are restricted to admins only.

If the entire page is to be hidden from non-admins, I surrounded the restricted code with an if statement as shown in the code below.

*** The only issue that seems to remain is that when I use the logoff code, <a href="http://www.elleschorrphotography.com/cmsAdmin/admin.php?action=logoff">Click Here to Log Out</a>, the previous non-admin login cookie does not get destroyed, and when I return to that page I’m still seeing the restricted message. If I delete the cookie, then things go back to normal.

Any thoughts?

Thanks,

Jerry Kornbluth

<?php if($CMS_USER['isAdmin']): ?>

code for admins only...

 <?php else :?>
     
Sorry, based on the login credentials you used, you don't have the authority to access this page.

<br />
<br />
To log in with the appropriate credentials, <a class="special" href="http://www.elleschorrphotography.com?action=logoff">Click Here to Log Out</a>, then return to this page and log in again.<br /> </span>

<?php endif ?>

Hi Jerry,

Could you add some code to destroy the session data if the user isn't logged in your if statement?

 <?php if($CMS_USER['isAdmin']): ?>
   code for admins only...
<?php else :?>
   <?php unset($_SESSION['otherSessonVariable']); ?>
   Sorry, based on the login credentials you used, you don't have the authority to access this page.
   <br />
   <br />
   To log in with the appropriate credentials, <a class="special" href="http://www.elleschorrphotography.com?action=logoff">Click Here to Log Out</a>, then return to this page and log in again.<br /> </span>
<?php endif ?>

If this doesn't work, could you post all of your code so far so I can see what is being stored in the non-admin session?

Cheers

Greg

Hi Greg,

Sorry for the delay.

That added line didn't destroy the login session

I've attached the page code and the 2 cookies that are generated when a non-Admin user logs in. cms_5159ca3da2187_loginsession and cms_5159ca3da2187_PHPSESSION.

Thanks,

Jerry Kornbluth

Hi Jerry,

Could you fill out a second level support request for me so that I can login to the CMS area and recreate the issue? You can find the form here:

https://www.interactivetools.com/support/email_support_form.php

Thanks!

Greg

Thanks Greg.

I've submitted a 2nd level request.

the file that I've been testing with is publicitya.php

Jerry Kornbluth