ISSUE SUMMARY:
Non registered, non logged-in users (aka Public or Guests) can access All Members page, All Groups category page, and All Events as category displayed pages. Our site is a 100% closed, Member Only, Contains HIPPA mandated Medical Information website and cannot have a single community generated page or piece of content Publicly viewable.
I get and understand your general stance of "Communities are meant to be open and free yadda yadda" but it does not make sense a site admin cannot set Everything to be only viewable as registered and logged in members. Please help and advise on how to restrict these items / pages / user profile avatars w names, see examples below;
Part of the message is hidden for the guests. Please log in or register to see it.
In JomSocial support answer here
on this post
you do not think about and consider people or sites that are private or closed communities, where within the closed community items like Groups or Events can be set to Public, allowing registered users only to see them and the setting of Private means that non of the registered users can join the group unless invited or allowed via join request.
EDIT - Did just find
this post in your forums, looks like similar problem
, can you please perform modification on our site for Members, Groups, and Events? Then post changes so we can document how to do ourselves whenever our JS gets updated.
STEPS TO REPLICATE:
1. Pretend you are a hacker and scan website or test access to JomSocial's default urls for groups, events, and members.
2. Discover that YES, you can see all these pages
3. Begin using this information (names, usernames, interests, support discussions) to perform social engineering & phishing attacks specifically targeted to these users in the secure patient medical information software industry.
4. Make bank selling said information stolen from an open JomSocial community.
RESULT
People can see information they should not be able to see
EXPECTED RESULT
The CMS joomla with JS component would respect every plugin, module, admin setting, or user setting being on Registered or Special and NOT SHOW ANYTHING TO PUBLIC or Guests.
BROWSER
Any browser, Any OS, any device including scrapers, bots, hackers, unkown etc. etc. etc.
Hi, Xristoph.
You found my solution regarding pages without menu item IDs - try it, it will also work on your site.
As for displaying All Members page, All Groups category page and All Events pages there are two possible solutions.
1. Creating menu items -> giving own menu item IDs
- Create hidden menu in Joomla - a menu not displayed on your site, not assigned to any menu module
- Then create menu item for All Members page, All Groups category page, and All Events page
(Choose:
community -> All Members
community -> All Groups
community -> All Events)
- set access level for Registered
2. Editing All Members page, All Groups category page, and All Events page templates
- copy files:
ROOT/components/com_community/templates/jomsocial/layouts/people.browse.php
ROOT/components/com_community/templates/jomsocial/layouts/groups/list.php
ROOT/components/com_community/templates/jomsocial/layouts/events/list.php
to:
ROOT/templates/your-template/html/com_community/layouts
ROOT/templates/your-template/html/com_community/layouts/groups
ROOT/templates/your-template/html/com_community/layouts/events
(if you don't have any of those folders, feel free to create them)
- edit files and on beginning of each file (right after "defined('_JEXEC') or die(); ?>") add:
<?php
$user = JFactory::getUser();
if (!$user->guest) {
?>
<?php
} else {
echo "You don't have access rights";
}
?>
Michal,
Thank you for taking the time to provide us with a solution, it's greatly appreciated. Considering I'm technically inept, I'll do my best to implement the necessary code changes to tighten things up. I understand the need for public access and simplicity for the average community,.. I was just under the impression that JS respected all joomla's access levels considering it needs the cms to run from or integrate with. Thus the reason I was kind of shocked to discover the inability for admins to "lock things down" from within the control panel interface.
Either way, we'll get your solution implemented now on v4.0.8 and again on v4.0.10 and then again on v4.1 and so on, so on, and so on. ;- 0 Cheers mate!
Michal,
I finally was able to implement your suggested code changes, which do work for the assigned template. The problem still exists at the core level though, as someone recently pointed out, all they have to do is add "&templateStyle=4" (or similar code to change the template) and everything is wide open still.
Any thoughts on how to seriously lock it down 100% ?
Perhaps something in an htaccess file to prevent viewing of any jomsocial component unless logged in...or setting ALL JomSocial plugins / module to Registered, or ????
Hi, Xristoph.
No... when you use Joomla! SEF addig &templateStyle=4 to URL won't work (if URL ends with .html)
Also disable all unnecessary templates.
htaccess doesn't have rule for logged in/out as this is Apache file and have no relation with Joomla!
If you have other templates and still want to use them - add overrides to everyone of them.
Okay, I'll enable SEF... hadn't considered that so thank you.
Also, curious if these modifications still apply (will work) on the new release of 4.1
Even if using SEF the ability for non logged in users to view still exists if they add ?templateStyle=21 and the number or ID is actually an installed template not in use. What is the best remedy to protect against this exposure? Just copy the same files mentioned here?
Solution for Older JomSocial
Still trying to lock down site from public view and hoping somebody can provide a better and more robust long-term solution to this
Hi, Xristoph.
You reviewed topic 9 months old :)
Generally this issue is not related with JomSocial but rather with Joomla! so you should post on Joomla! forum.
But still you may try to user 301 redirection in htaccess for certain URL.
I reviewed a 9 month old topic because searching Bing, Yahoo, and Google kept bringing me back to these posts.
I wish it was an actual Joomla issue, it'd be resolved in the next release and not return as a bug. I have a new site with a fresh install of joomla and clean install of JomSocial, have followed the steps outlined in multiple support threads on JomSocial site yet Pen Testers still accessing JomSocial pages, media, etc. etc. etc.
Sorry to bother you, thought maybe somebody would help
HI, Xristoph.
No, it's not a problem :) Topics are here to review them any time. But usually they are like Mayflys - live very short ;)
The problem is that Joomla! access privileges are based on menu item ID. So pages without menu item ID can be accessed very easily.
This become a pain when you want your site to be public in some parts and private in other. Also if anyone is skilled enough and know Joomla! can easily access any component view just by typing non canonical URL. For example if I'm asked to view site that I know it contains JomScoial then I don't bother to look for menu item which will take me to the community but just type <domain>/index.php?option=com_community and JS is loaded right away without any restrictions :)
301 redirection are good but you can't check for possible URL and list them all in htaccess... just too many of them.
I think that best way will be to add a php condition directly in template that checks if user is logged in and current menu item ID is different than your public pages. This may look like a quite dirty method but works 100% as check is made straight in template in code.
It will look like this:
<?php
$user = JFactory::getUser();
if(($user->id == 0) AND (JRequest::getInt('Itemid') == '501')) {
?>
template content code
<?php } ?>
Michal,
Thank you for explaining that in more detail, this is great information and exactly what I need. In addition to the PHP code check of logged in user, is there similar methods for htaccess files? Specifically trying to protect the respective media directories associated with JomSocial such as the photos (my-photos?) directory and other directories related to the users profile and profile url path.
I was VERY embarrassed after receiving the results of the first penetration tests. Now that the testers are aware we're using Joomla and JomSocial so they know "what" to try and exploit. I'm wanting to take every precaution I can before 2nd and final pen tests and going live with my community.
Again... thank you VERY much for your assistance securing my closed / private JS community.
Michał,
Just curious if you could help me to identify where to place the PHP mod to prevent non logged-in users from viewing stream comments / status updates from users that choose PUBLIC on the privacy settings.
mydomain.com/index.php?option=com_community&view=profile&userid=123&actid=314
Let's say this user, who is a Super Admin and has their profile privacy (for front-end user) set to "MEMBERS ONLY" updates their status in the community stream and does not change to "SITE MEMBERS" or "ONLY FRIENDS".
What PHP code should I use to block this publicly viewable page? Where would I put it?
Hi.
As far I understand you want to hide accidentally or intentionally posted activity as PUBLIC...
Then you don't need to change any code - just set activity stream to members only in Backend -> Component s-. JomSocial -> Configuration -> Layout -> Activity stream
I hope this helps ;)