Security on Admin area

Anonymous
2011-03-15
2013-03-27
  • Anonymous - 2011-03-15

    Hey - love everything about the app.

    Im guessing I should know this, but I dont. Right now, when anyone logs in, it gives them the link to the admin area. Should this happen, or did I do something wrong?

    Also - how should I go about locking down the admin area?

     
  • John Holder

    John Holder - 2011-03-15

    Read up on .htaccess (assuming you are using Apache)
    http://webdesign.about.com/od/htaccess/ht/hthtaccess.htm

    You want to set it up so that dir can only be entered if you have the htaccess username and password (which are unrelated to anything in the tourney app)

    Someday, we may have real authentication.

     
  • George Westrup

    George Westrup - 2011-03-15

    It should not give to everyone. Only when logged in as admin. Lock the admin folder by protecting it in .htaccess

    You can do this in your cpanel.

     
  • John Holder

    John Holder - 2011-03-15

    Also, I don't know why they are getting an admin link.  It should only show the link if the email address (login name) they enter matches the email address of the admin on the main configure page… (i.e., if you look in phpmyadmin at the database table 'meta' and browse it, the email column there is what should be set to the admin's email address.)

     
  • John Holder

    John Holder - 2011-03-15

    If you can't easily resolve this, here is a workaround, although I don't believe I'm having trouble with this at all.

    You can delete these lines from sidebar.php: (lines 85-87):
    if (isset($_SESSION) && $_SESSION == true)
    {
    echo '<a href="admin/index.php"></a> ';
    }
    Also, in login.php to be complete, remove lines 12 and 13:
    $_SESSION = true;
    header("Location: admin/index.php");

     
  • Anonymous - 2011-03-15

    a) I'm an idiot. Working with IIS has dumbed me down. Got it working within seconds of doing a little research.

    b) I think the issue is I have a stored cookie with my user access. Once you are in, even if you login with a different userID/PW - you can still get in. I cleared all my cookies/history and logged in with another account and the link never showed up.

    I'm all set. I really appreciate this code - will make my life (and email inbox) alot simpler.

    One last dumb question - is there a way for users to go back and see/print their bracket after it has been submitted?

     
  • Rob J

    Rob J - 2011-03-15

    Re dumb question: not until the tournament starts. When it starts, then they will be able to see any bracket. We have no account system, that's why you can't do this. Thus, users should print out their bracket once they submit. The bracket should pop up when they submit.

    The drupal module would be the way to do this since drupal supports accounts. That's not complete, though, and is probably too late to worry about this year.

     
  • Anonymous - 2011-03-15

    Agree on it being too late.

    If you guys want help with new features after tourney is over I'd be glad to help. I built an excel app that did basically the same thing as your site does, but i concentrated solely on UI. I'm excited to see what features you have built in that I never thought of. If my users complain about features not existing anymore, ill post them and maybe offer to contribute to them here.. (if you want help)

     
  • John Holder

    John Holder - 2011-03-15

    "is there a way for users to go back and see/print their bracket after it has been submitted? "

    Only after the bracket submission is closed (by you clicking on "Close Bracket Submission" in the admin area)

     
  • George Westrup

    George Westrup - 2011-03-17

    I have a password protected version of the script i am tweaking. Just started on it today so it will not be ready for this year but it will be for next year.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks