Using CMSBuilding Login

If you mean allowing certain CMSB users to edit only certain pages and not others, you can restrict access down to the author of a page in specific sections when you set up their user account.

In the section access pulldown menu you can specify specific sections and restrict access that way.

If that's not what you're asking, let us know,

Best,

Jerry Kornbluth

Not quite.

What I'm after is a way of knowing who my CMSB users are on none CMSB pages. For example, I have some pages on my site that are visible to all, but I want my CSMB admins to be able to view certain sections that are hidden from the general public.

There are 2 approaches that come to mind.

1) Don't provide any public links to the versions of those pages with the private data.

2) Password protect the folder with those pages if you need the added security.

You can use a free password management program like Account Manager Lite by Site Interactive or just use .htaccess files.

Does that help at all?

Best,

Jerry Kornbluth

In the past I've set session vars once a registered user has logged into a site. Then on each page I sniff for those vars and if that user has values in their account info (CMSB Table) that matches the permitted users for that page, then they can go on and read the page. Otherwise, they are bounced, or some content is displayed conditionally.

Basically this is the same method that Dreamweaver users by default in these cases.
J.

I can do so in brief from memory. Details can be provided later if needed:

1 - Created a mulit-record table in CMSB called 'Subscribers'. Contains user info, password, contacts, and permission data. In my case the latter was a drop-down menu containing user level types. My client wanted to have viewers only see certain data so this table also had extra permission fields. i.e.: red stuff, blue stuff, green stuff.

2 - The client was signing up users manually, but you could have a sign-up form which populates that table. Moderator oversight may be required.

3 - On the login page. The user would enter their username and password. These are checked against the user table. If their account is in good standing, create session vars based on some kind of temp hash of their username and/or system time (or similar).

4 - On each subsequent page, at load, check the session vars and see if their reversed-hash info matches the valid account info from the CMSB table. If not, bounce the user back to page 1. If valid, read their data viewing permissions and display the content accordingly (i.e.: red stuff, blue stuff, green stuff,etc.). Users with certain levels of permission such as Admins or Mods might see multiple sets of data.

5 - For some critical bits of content, or with certain user actions, we send emails or append to a flat file log of what user took a given action. That way we know if they downloaded a given file or went to a particular page.

It must be noted that this site was just intended for non-commercial actions as this method is far from foolproof. But it does allow one to know which of your users came to your site, what pages they viewed, and permit you to show the right data to the right groups of users provided that none of them know enough about how to spoof the session vars or some of the page headers. Security is relative.

This site was originally built on CMSB 1.20 and I'm sure we might approach some things a little differently now.

Hope this helps!

J.

Hang on guys, before we get carried away, I'm sure there's an easier way. When I log in to the CMS admin, a session variable is surely set. If I know what this is, I can protect other pages. Or does it use some other method to know who's logged in?

No idea andycal, but that's a great question.

Back when I did this, and perhaps even now, I wasn't able to add extra fields to the user table on CMSB. Neccessity begat invention.

J.

Hi andycal,

This isn't something that's supported by the software, but I'll try and point you in the right direction. We switched from cookies to sessions in a recent version, so upgrade if you haven't already.

Next, add this line in red before you load the viewer functions:

if (!defined('START_SESSION')) { define('START_SESSION', true); }
require_once "../lib/viewer_functions.php";

That tells it to start a session. Next, you can display an error message for users who are not logged in like this:

<?php if (!@$_SESSION['username']) { die("You must login first!"); } ?>

And you can see all the session variables available like this:

<xmp><?php print_r( $_SESSION ) ?></xmp>

Note that the program internals might change over time. Probably not for a long while, but be sure to test your custom code after future upgrades.

Hope that helps!