nliautaud / pico-users Goto Github PK
View Code? Open in Web Editor NEWA hierarchical users and rights system plugin for Pico CMS
License: MIT License
A hierarchical users and rights system plugin for Pico CMS
License: MIT License
Is this plugin still supported?
Does it work with Pico 1.0.6?
I've added to /plugins/ and added users and rights settings to config.php, but I can still browser all pages.
I'm using the default content, my settings are:
$settings['users'] = array
(
'managers' => array(
'cristina' => '2cc13a9e718d3d3051ac1f0ba024a2ff77485f4b',
'paul' => '12dea96fec20593566ab75692c9949596833adc9'
),
'developers' => array(
'aaron' => '9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684',
'james' => '12dea96fec20593566ab75692c9949596833adc9'
)
);
$settings['rights'] = array
(
'sub/index' => 'managers'
);
we already know that users and rights are in default pico config file..
but since i see that's no api for external apps outside of pico .. could be separate at least the users file, .. we can use it with one line per user and implode with \n
for later admin those in onConfigLoaded
function.. maybe we need a specific file load funtion..
if not then how could i setup with a external tool the users to added or remove it!?
pico-users/45-PicoUsers/PicoUsers.php
Lines 77 to 88 in 79b8ca9
$previousPage
and $nextPage
should be changed when pointing 403.md
pages.
Line 179 in 3e20e69
hash()
is no password hashing function (at least not as-is)! Even more important: Never use a password hash function without salt. Use password_hash()
instead.
Unfortunately password_hash()
requires >= PHP 5.5. If you still want to support PHP 5.3 and PHP 5.4 (as Pico does), you can use https://github.com/ircmaxell/password_compat. You might want to take a look at how Pico's official admin plugin (still work in progress) takes care of this:
Hello.
I have installed pico-users following the readme.md file but I don't have any login form displayed.
Where should I see this login form? Also do I need to create a login.md file for this, and then once logged in I can browse all other pages if I have the right to access them?
What would need to be in this login.md page as code to show the login?
Also I tried to modify my template file themes/picocms-gallery/index.twig and adding this somewhere:
{{ login_form }}
But this would mean that all pages would display the login form, isn't it? and also this does still not show the login form.
Also do I need to put this in the config.yml file:
PicoUsers: true
I hope you can help.
Custom 403.md
pages are shown in navigation, they should be hidden like 404.md.
I get this message when I try to login:
"Warning: Invalid argument supplied for foreach() in /plugins/_pico_users.php on line 175"
Also, I can read a page which I have set to only one specific user.
Best regards.
Session clearing after logout. Currently all session variables remain. My bad, it is there. But as sessions do not expire, they will remain, if user not log out.
Proper session expiration handling. Currently it works undes http, but not under https. Session are lost after couple of seconds, probably some server configuration issue, so session_id are different and therefore $fp = $this->fingerprint();
return different value. It really should handle session expiration by itselt.
It was actually my bug. I use php-crud-api with BasicAuth and made some ajax request against that from Pico site. But what happens, is session conflict, as PicoUsers set PHPSESSID cookie and php-crud-api set PHPSESSID cookie and later rewrite it in browser and PicoUsers session got lost. It works under http, as php-crud-api was defined as https, so for browser, it was CORS situation, and no cookie was set.
I already made a ticket to php-crud-api and it is already solved: mevdschee/php-crud-api#600
Here also, perhaps You should consider to set different session_name to avoid session conflicts. It could by hard-coded 'PicoUsers' or from configuration.
There should be anon built-in user, so there is possibility to grant anonymous access to page in directory, which is restricted.
users:
editors:
user1: passhash
rights:
folder: editors
folder/public: anon
or some other way to exclude some page from restrictions
Checking rights can be bypassed by putting an extra slash in the URL.
Accessing https://example.com/hidden/
prompts for password as expected. Accessing https://example.com//hidden/
allows immediate access
My rights look like this:
rights:
hidden: nathan
alsohidden: nathan
This is on a fresh install of pico cms and this plugin
Line 184 in 3e20e69
You should never store the unhashed password in the session, attackers might be able to read session files. Simply store the hashed password instead.
When I load it ill see "Notice: Undefined index: hash_type in D:\xampp\htdocs\MrFrozen\plugins_pico_users.php on line 28" How to solve this?
For now unauthorized pages are still accessible by other plugins, even if they are removed from $pages
.
In Pico 0.x I think I was loading this plugin first to avoid this issue, by underscoring its name.
What would be the correct way to hide these pages from other plugins in Pico 1.x ? A way to modify $pages
first ? Maybe @PhrozenByte or @smcdougall ?
Related to #9.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.