Hi! Does anyone know if there's a way using new_rewrite to stop other users figuring out that they can modify the URL and then browse another users personal folder? I know its possible to create in the 'templates' folder a .htaccess file that gets coppied into a users folder which populates the users login from <!--LOGIN-->, but is it possible to do it without using a basic .htaccess that pops up a username and password box? I'm guessing that the users login name is stored in the cookie and that it might be possible to get it out and write it into a similar .htaccess file to this: ########### AMEMBER START ##################### Options +FollowSymLinks RewriteEngine On ## allow access for product #67 RewriteCond %{HTTP_COOKIE} amember_nr=([a-zA-Z0-9]+) RewriteCond /home/www/members/data/new_rewrite/%1-67 -f RewriteRule ^(.*)$ - [L] ## if user is not authorized, redirect to login page # BrowserMatch "MSIE" force-no-vary RewriteCond %{QUERY_STRING} (.+) RewriteRule ^(.*)$ http://www.URL.com/installfolder/plugins/protect/new_rewrite/login.php?v=-67&url=%{REQUEST_URI}?%{QUERY_STRING} [L,R] RewriteRule ^(.*)$ http://www.URL.com/installfolder/plugins/protect/new_rewrite/login.php?v=-67&url=%{REQUEST_URI} [L,R] ########### AMEMBER FINISH #################### Obviously this file works for product 67 rather than a users login. It would be great if some knows how to change it so it looks for a users login rather than a product. Many Thanks
This can't be done using new_rewrite by default(modification will be required) What kind of content you have in personal folders? If php you can check user's login from php script. For example create template for all users and include it from your php pages: Code: <? session_start(); if($_SESSION[_amember_user][login]!='<!--LOGIN-->'){ print "Access not allowed"; exit; } ?>
I have all different types of content (.php .htm .txt .jpg etc). So I have modified /plugins/protect/new_rewrite/new_rewrite.inc.php to write the login name to the session cookie files in /data/new_rewrite by adding a new bit of code immediately under this: //existing code if ($_SESSION['_amember_product_ids']) { // if user is active $file_to_create = preg_replace('/\W+/', '', $cookie); $f = fopen("$config[root_dir]/data/new_rewrite/$file_to_create", 'w'); if (!$f) fatal_error("Cannot create session file: $file_to_create<br /> Please chmod folder amember/data/new_rewrite/ to 777"); fclose($f); } //new code { // get user name $rad = $_SESSION['_amember_login']; $file_to_create = preg_replace('/\W+/', '', $cookie) . '-' . $rad; $f = fopen("$config[root_dir]/data/new_rewrite/$file_to_create", 'w'); if (!$f) fatal_error("Cannot create session file: $file_to_create<br /> Please chmod folder amember/data/new_rewrite/ to 777"); fclose($f); } Then I modified the .htaccess file in my templates folder to this: ########### AMEMBER START ##################### Options +FollowSymLinks RewriteEngine On ## allow access for user RewriteCond %{HTTP_COOKIE} amember_nr=([a-zA-Z0-9]+) RewriteCond /path to amemberpro/data/new_rewrite/%1-<!--LOGIN--> -f RewriteRule ^(.*)$ - [L] ## if user is not authorized, redirect to login page # BrowserMatch "MSIE" force-no-vary RewriteCond %{QUERY_STRING} (.+) RewriteRule ^(.*)$ http://www.url.com/path/plugins/protect/new_rewrite/login.php?v=-<!--LOGIN-->&url=%{REQUEST_URI}?%{QUERY_STRING} [L,R] RewriteRule ^(.*)$ http://www.url.com/path/plugins/protect/new_rewrite/login.php?v=-<!--LOGIN-->&url=%{REQUEST_URI} [L,R] ########### AMEMBER FINISH #################### It appears to work well, and the users folders are now only accessible by the user who is logged in.