Notice

The forum is in read only mode.

Support Forum

Welcome! Support Forums have been reactivated
Welcome the Technical Support section. Help us in assisting you by providing us with a concise and descriptive elaboration of your issues. Be specific and if possible, provide us with a step-by-step instruction in replicating your problem.

Global community items Public but ALL items set as Registered!

8 years 7 months ago
Licenses:
JomSocial Active

ISSUE SUMMARY:
Non registered, non logged-in users (aka Public or Guests) can access All Members page, All Groups category page, and All Events as category displayed pages. Our site is a 100% closed, Member Only, Contains HIPPA mandated Medical Information website and cannot have a single community generated page or piece of content Publicly viewable.

I get and understand your general stance of "Communities are meant to be open and free yadda yadda" but it does not make sense a site admin cannot set Everything to be only viewable as registered and logged in members. Please help and advise on how to restrict these items / pages / user profile avatars w names, see examples below;


Part of the message is hidden for the guests. Please log in or register to see it.


In JomSocial support answer here on this post you do not think about and consider people or sites that are private or closed communities, where within the closed community items like Groups or Events can be set to Public, allowing registered users only to see them and the setting of Private means that non of the registered users can join the group unless invited or allowed via join request.

EDIT - Did just find this post in your forums, looks like similar problem , can you please perform modification on our site for Members, Groups, and Events? Then post changes so we can document how to do ourselves whenever our JS gets updated.

STEPS TO REPLICATE:
1. Pretend you are a hacker and scan website or test access to JomSocial's default urls for groups, events, and members.
2. Discover that YES, you can see all these pages
3. Begin using this information (names, usernames, interests, support discussions) to perform social engineering & phishing attacks specifically targeted to these users in the secure patient medical information software industry.
4. Make bank selling said information stolen from an open JomSocial community.

RESULT
People can see information they should not be able to see

EXPECTED RESULT
The CMS joomla with JS component would respect every plugin, module, admin setting, or user setting being on Registered or Special and NOT SHOW ANYTHING TO PUBLIC or Guests.

BROWSER
Any browser, Any OS, any device including scrapers, bots, hackers, unkown etc. etc. etc.

8 years 7 months ago
Licenses:

Hi, Xristoph.

You found my solution regarding pages without menu item IDs - try it, it will also work on your site.

As for displaying All Members page, All Groups category page and All Events pages there are two possible solutions.

1. Creating menu items -> giving own menu item IDs

- Create hidden menu in Joomla - a menu not displayed on your site, not assigned to any menu module
- Then create menu item for All Members page, All Groups category page, and All Events page
(Choose:
community -> All Members
community -> All Groups
community -> All Events)
- set access level for Registered

2. Editing All Members page, All Groups category page, and All Events page templates

- copy files:

ROOT/components/com_community/templates/jomsocial/layouts/people.browse.php
ROOT/components/com_community/templates/jomsocial/layouts/groups/list.php
ROOT/components/com_community/templates/jomsocial/layouts/events/list.php

to:

ROOT/templates/your-template/html/com_community/layouts
ROOT/templates/your-template/html/com_community/layouts/groups
ROOT/templates/your-template/html/com_community/layouts/events

(if you don't have any of those folders, feel free to create them)

- edit files and on beginning of each file (right after "defined('_JEXEC') or die(); ?>") add:

<?php 
$user = JFactory::getUser();
if (!$user->guest) {
?>

- and at the very end of file add:
<?php
} else {
	echo "You don't have access rights";
}
?>

Above code will check if user is a guest and will display file content ONLY if user is a registered member. If your site is multilingual then last part of code should contain jText and language constant instead hardcoded text.

Result: prntscr.com/842ok8

Code after "else" may contain different text, images or even module position to display login form.

Also you may do even more. to make site 101% secure - you may add my above code and wrapp <jdoc:include type="component" />. Then if you want to display something to public - use modules...

Please, note that YOU want 100% private site... many other users want to show certain things to the public. There are ways to make site 100% private but adding many privacy settings will make system more and more complicated. From time to time we have complaints that JomSocial is too complex and hard to configure / administer. So you see your own needs - we must see big picture.


- Instead of saying: 'it's not working', explain the problem in detail.
- Screenshots with the URL visible in them and the problem marked are more than welcome.
- Tell us how to replicate the problem, we can't fix it if we can't find it.
- Make sure that your site/server meets JomSocial System Requirements
- Make sure to setup JomSocial Cron Job
- Always provide us with access details to the backend and ftp. We need it to debug problems.
- If you have a similar problem, but a solution you found isn't working, open a new thread instead of 'merging' with an existing one.

- Use the "Thank You" feature on any post that helped you
The following user(s) said Thank You: Xristoph Conrad
8 years 7 months ago
Licenses:
JomSocial Active

Michal,

Thank you for taking the time to provide us with a solution, it's greatly appreciated. Considering I'm technically inept, I'll do my best to implement the necessary code changes to tighten things up. I understand the need for public access and simplicity for the average community,.. I was just under the impression that JS respected all joomla's access levels considering it needs the cms to run from or integrate with. Thus the reason I was kind of shocked to discover the inability for admins to "lock things down" from within the control panel interface.

Either way, we'll get your solution implemented now on v4.0.8 and again on v4.0.10 and then again on v4.1 and so on, so on, and so on. ;- 0 Cheers mate!

8 years 6 months ago
Licenses:
JomSocial Active

Michal,

I finally was able to implement your suggested code changes, which do work for the assigned template. The problem still exists at the core level though, as someone recently pointed out, all they have to do is add "&templateStyle=4" (or similar code to change the template) and everything is wide open still.

Any thoughts on how to seriously lock it down 100% ?

8 years 6 months ago
Licenses:
JomSocial Active

Perhaps something in an htaccess file to prevent viewing of any jomsocial component unless logged in...or setting ALL JomSocial plugins / module to Registered, or ????

8 years 6 months ago
Licenses:

Hi, Xristoph.

No... when you use Joomla! SEF addig &templateStyle=4 to URL won't work (if URL ends with .html)
Also disable all unnecessary templates.

htaccess doesn't have rule for logged in/out as this is Apache file and have no relation with Joomla!

If you have other templates and still want to use them - add overrides to everyone of them.


- Instead of saying: 'it's not working', explain the problem in detail.
- Screenshots with the URL visible in them and the problem marked are more than welcome.
- Tell us how to replicate the problem, we can't fix it if we can't find it.
- Make sure that your site/server meets JomSocial System Requirements
- Make sure to setup JomSocial Cron Job
- Always provide us with access details to the backend and ftp. We need it to debug problems.
- If you have a similar problem, but a solution you found isn't working, open a new thread instead of 'merging' with an existing one.

- Use the "Thank You" feature on any post that helped you
The following user(s) said Thank You: Xristoph Conrad
8 years 6 months ago
Licenses:
JomSocial Active

Okay, I'll enable SEF... hadn't considered that so thank you.

Also, curious if these modifications still apply (will work) on the new release of 4.1

7 years 8 months ago
Licenses:
JomSocial Active

Even if using SEF the ability for non logged in users to view still exists if they add ?templateStyle=21 and the number or ID is actually an installed template not in use. What is the best remedy to protect against this exposure? Just copy the same files mentioned here? Solution for Older JomSocial

Still trying to lock down site from public view and hoping somebody can provide a better and more robust long-term solution to this

7 years 8 months ago
Licenses:

Hi, Xristoph.

You reviewed topic 9 months old :)
Generally this issue is not related with JomSocial but rather with Joomla! so you should post on Joomla! forum.
But still you may try to user 301 redirection in htaccess for certain URL.


- Instead of saying: 'it's not working', explain the problem in detail.
- Screenshots with the URL visible in them and the problem marked are more than welcome.
- Tell us how to replicate the problem, we can't fix it if we can't find it.
- Make sure that your site/server meets JomSocial System Requirements
- Make sure to setup JomSocial Cron Job
- Always provide us with access details to the backend and ftp. We need it to debug problems.
- If you have a similar problem, but a solution you found isn't working, open a new thread instead of 'merging' with an existing one.

- Use the "Thank You" feature on any post that helped you
7 years 8 months ago
Licenses:
JomSocial Active

I reviewed a 9 month old topic because searching Bing, Yahoo, and Google kept bringing me back to these posts.

I wish it was an actual Joomla issue, it'd be resolved in the next release and not return as a bug. I have a new site with a fresh install of joomla and clean install of JomSocial, have followed the steps outlined in multiple support threads on JomSocial site yet Pen Testers still accessing JomSocial pages, media, etc. etc. etc.

Sorry to bother you, thought maybe somebody would help

7 years 8 months ago
Licenses:

HI, Xristoph.

No, it's not a problem :) Topics are here to review them any time. But usually they are like Mayflys - live very short ;)
The problem is that Joomla! access privileges are based on menu item ID. So pages without menu item ID can be accessed very easily.
This become a pain when you want your site to be public in some parts and private in other. Also if anyone is skilled enough and know Joomla! can easily access any component view just by typing non canonical URL. For example if I'm asked to view site that I know it contains JomScoial then I don't bother to look for menu item which will take me to the community but just type <domain>/index.php?option=com_community and JS is loaded right away without any restrictions :)


301 redirection are good but you can't check for possible URL and list them all in htaccess... just too many of them.

I think that best way will be to add a php condition directly in template that checks if user is logged in and current menu item ID is different than your public pages. This may look like a quite dirty method but works 100% as check is made straight in template in code.

It will look like this:

<?php 
$user = JFactory::getUser();
if(($user->id == 0) AND (JRequest::getInt('Itemid') == '501')) {
?>

template content code

<?php } ?>

501 is my frontpage menu item ID so content will be displayed ONLY if user is not logged in and menu item ID is different than 0. You may combine it will else statement so login form is displayed for non logged in and content is displayed for logged in members ;)


- Instead of saying: 'it's not working', explain the problem in detail.
- Screenshots with the URL visible in them and the problem marked are more than welcome.
- Tell us how to replicate the problem, we can't fix it if we can't find it.
- Make sure that your site/server meets JomSocial System Requirements
- Make sure to setup JomSocial Cron Job
- Always provide us with access details to the backend and ftp. We need it to debug problems.
- If you have a similar problem, but a solution you found isn't working, open a new thread instead of 'merging' with an existing one.

- Use the "Thank You" feature on any post that helped you
The following user(s) said Thank You: Xristoph Conrad
7 years 8 months ago
Licenses:
JomSocial Active

Michal,

Thank you for explaining that in more detail, this is great information and exactly what I need. In addition to the PHP code check of logged in user, is there similar methods for htaccess files? Specifically trying to protect the respective media directories associated with JomSocial such as the photos (my-photos?) directory and other directories related to the users profile and profile url path.

I was VERY embarrassed after receiving the results of the first penetration tests. Now that the testers are aware we're using Joomla and JomSocial so they know "what" to try and exploit. I'm wanting to take every precaution I can before 2nd and final pen tests and going live with my community.

Again... thank you VERY much for your assistance securing my closed / private JS community.

7 years 7 months ago
Licenses:
JomSocial Active

Michał,

Just curious if you could help me to identify where to place the PHP mod to prevent non logged-in users from viewing stream comments / status updates from users that choose PUBLIC on the privacy settings.

mydomain.com/index.php?option=com_community&view=profile&userid=123&actid=314

Let's say this user, who is a Super Admin and has their profile privacy (for front-end user) set to "MEMBERS ONLY" updates their status in the community stream and does not change to "SITE MEMBERS" or "ONLY FRIENDS".

What PHP code should I use to block this publicly viewable page? Where would I put it?

7 years 7 months ago
Licenses:

Hi.

As far I understand you want to hide accidentally or intentionally posted activity as PUBLIC...
Then you don't need to change any code - just set activity stream to members only in Backend -> Component s-. JomSocial -> Configuration -> Layout -> Activity stream

I hope this helps ;)


- Instead of saying: 'it's not working', explain the problem in detail.
- Screenshots with the URL visible in them and the problem marked are more than welcome.
- Tell us how to replicate the problem, we can't fix it if we can't find it.
- Make sure that your site/server meets JomSocial System Requirements
- Make sure to setup JomSocial Cron Job
- Always provide us with access details to the backend and ftp. We need it to debug problems.
- If you have a similar problem, but a solution you found isn't working, open a new thread instead of 'merging' with an existing one.

- Use the "Thank You" feature on any post that helped you
Moderators: Piotr Garasiński
Powered by Kunena Forum

Join 180,000 websites creating Amazing communities

JomSocial is the most complete, easy-to-use addon that turns Joomla CMS into a
full -fledged, social networking site

TRY NOW BUY NOW