nliautaud / pico-users Goto Github PK

Is this plugin still supported?

Does it work with Pico 1.0.6?

I've added to /plugins/ and added users and rights settings to config.php, but I can still browser all pages.

I'm using the default content, my settings are:

$settings['users'] = array
(
	'managers' => array(
		'cristina' => '2cc13a9e718d3d3051ac1f0ba024a2ff77485f4b',
		'paul' => '12dea96fec20593566ab75692c9949596833adc9'
	),
	'developers' => array(
		'aaron' => '9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684',
		'james' => '12dea96fec20593566ab75692c9949596833adc9'
	)
);

$settings['rights'] = array
(
	'sub/index' => 'managers'
);

we already know that users and rights are in default pico config file..

but since i see that's no api for external apps outside of pico .. could be separate at least the users file, .. we can use it with one line per user and implode with \n for later admin those in onConfigLoaded function.. maybe we need a specific file load funtion..

if not then how could i setup with a external tool the users to added or remove it!?

$previousPage and $nextPage should be changed when pointing 403.md pages.

hash() is no password hashing function (at least not as-is)! Even more important: Never use a password hash function without salt. Use password_hash() instead.

Unfortunately password_hash() requires >= PHP 5.5. If you still want to support PHP 5.3 and PHP 5.4 (as Pico does), you can use https://github.com/ircmaxell/password_compat. You might want to take a look at how Pico's official admin plugin (still work in progress) takes care of this:

• https://github.com/PhrozenByte/pico-admin/blob/bacba2086dd7eee25e8d54a3b86085a3f0ca27f7/PicoAdmin.php#L133-L135
• https://github.com/PhrozenByte/pico-admin/blob/bacba2086dd7eee25e8d54a3b86085a3f0ca27f7/PicoAdmin.php#L257-L271

Hello.

I have installed pico-users following the readme.md file but I don't have any login form displayed.
Where should I see this login form? Also do I need to create a login.md file for this, and then once logged in I can browse all other pages if I have the right to access them?
What would need to be in this login.md page as code to show the login?

Also I tried to modify my template file themes/picocms-gallery/index.twig and adding this somewhere:
{{ login_form }}

But this would mean that all pages would display the login form, isn't it? and also this does still not show the login form.

Also do I need to put this in the config.yml file:
PicoUsers: true

I hope you can help.

Custom 403.md pages are shown in navigation, they should be hidden like 404.md.

I get this message when I try to login:
"Warning: Invalid argument supplied for foreach() in /plugins/_pico_users.php on line 175"

Also, I can read a page which I have set to only one specific user.

Best regards.

Session clearing after logout. Currently all session variables remain. My bad, it is there. But as sessions do not expire, they will remain, if user not log out.

Proper session expiration handling. Currently it works undes http, but not under https. Session are lost after couple of seconds, probably some server configuration issue, so session_id are different and therefore $fp = $this->fingerprint(); return different value. It really should handle session expiration by itselt.

It was actually my bug. I use php-crud-api with BasicAuth and made some ajax request against that from Pico site. But what happens, is session conflict, as PicoUsers set PHPSESSID cookie and php-crud-api set PHPSESSID cookie and later rewrite it in browser and PicoUsers session got lost. It works under http, as php-crud-api was defined as https, so for browser, it was CORS situation, and no cookie was set.

I already made a ticket to php-crud-api and it is already solved: mevdschee/php-crud-api#600

Here also, perhaps You should consider to set different session_name to avoid session conflicts. It could by hard-coded 'PicoUsers' or from configuration.

There should be anon built-in user, so there is possibility to grant anonymous access to page in directory, which is restricted.

users:
    editors:
        user1: passhash
rights:
    folder: editors
    folder/public: anon

or some other way to exclude some page from restrictions

Checking rights can be bypassed by putting an extra slash in the URL.

Accessing https://example.com/hidden/ prompts for password as expected. Accessing https://example.com//hidden/ allows immediate access

My rights look like this:

rights:
    hidden: nathan
    alsohidden: nathan

This is on a fresh install of pico cms and this plugin

You should never store the unhashed password in the session, attackers might be able to read session files. Simply store the hashed password instead.

When I load it ill see "Notice: Undefined index: hash_type in D:\xampp\htdocs\MrFrozen\plugins_pico_users.php on line 28" How to solve this?

For now unauthorized pages are still accessible by other plugins, even if they are removed from $pages.
In Pico 0.x I think I was loading this plugin first to avoid this issue, by underscoring its name.

What would be the correct way to hide these pages from other plugins in Pico 1.x ? A way to modify $pages first ? Maybe @PhrozenByte or @smcdougall ?

Related to #9.

See https://secure.php.net/manual/en/function.split.php

Use explode() instead