Securing elgg

How an I secure my copy of elgg so that non-members cannot see any page other than the main page. I want a totally secure site that only members can observe any portion of it.

  • The Walled Garden plugin is designed just for that.  IIRC there's also a 3rd party plugin called "Higher Walls" that locks the site down even more.

  • The problem I have with Walled Garden is that when it's active, I get a double image on the main page when logged out. I've tried removing some other plugins to see if one of them is the problem but I haven;t found anything yet that seems to be the cause.

  • Its not 100% foolproof (could be attacked), but on the main page, some php code checks if a title has been set.  If it has, then it calls gatekeeper.  All pages except the login page have extended titles.

  • Thanks for the info, but I don't see how I can use it. Can I change that code? What does an extended title have to do with my problem? Not trying to be difficult here, but I don't see what you have offered has done anything to solve my problem.

  • in pageshell.php at the very top, I added this:

            if (!empty($vars['title']))

              gatekeeper();

     

    I added it just underneath header(...).  This will force a user to the login page if there is no title set (like the tab title in the browser window or window title).  Because all pages have titles, everypage will redirect to the login page if a user isn't logged in.  The exception is the login page,  It will continually reload the login page if you don't check for something.  Because I am checking the title, this is not a problem.

    This file for you is probably located in elgg/views/default/pageshells/pageshell.php unless there are theme mods, then it would be somewhere else.

  • Brandt,

    I appreciate the help here. Unfortunately, it doesn't seem to work in my case. I added the lines you suggested here -

    // Set the content type
    header("Content-type: text/html; charset=UTF-8");
    if (!empty($vars['title']))

              gatekeeper();

    // Set title

    withy no apparent help. I still get a duplicate page view of the main page when not logged in. You can see it in action here -

    http://www.sunwestnet.org

  • Do you have the other plugin disabled?

     

    I've had this problem before.  It happens when gatekeeper is trying to redirect you to login, but login runs gatekeeper again.  In my case, the login page is a separate page from the dashboard.  Do you have your login in the dashboard?  I think that that is atypical.  This is why the plugin isn't working for you (I think).  Because the same page that is redirecting to log in, is also the login page.

    You also are using titles differently, but It depends on how the title is setting in pageshell.php.  In my example, the title gets added after I check, so I can check for an empty title, but I don't think this is the same with your site.

    There is probably a workaround for you, but it wouldn't be as easy.  you probably wouldn't be having issues if your login page was separate.  I'm not sure if the Walled Garden plugin depends on that or not.

  • How do I determine if the login is in the Dashboard? I don't think I changed it in any way from the way the install program set it up. I've added a few plugins from elgg-dev, could something there have affected my setup?

    Here's the index.php from the dashboard folder -

    -----------------------------------------------------

    // Get the Elgg engine
    require_once(dirname(dirname(__FILE__)) . "/engine/start.php");

    // Ensure that only logged-in users can see this page
    gatekeeper();

    // Set context and title
    set_context('dashboard');
    set_page_owner(get_loggedin_userid());
    $title = elgg_echo('dashboard');

    // wrap intro message in a div
    $intro_message = elgg_view('dashboard/blurb');

    // Try and get the user from the username and set the page body accordingly
    $body = elgg_view_layout('widgets',"","",$intro_message)

    page_draw($title, $body);

    ---------------------------------------------------------------------

    You say I'm using titles differently. Again I haven't changed anything from the original setup that I am aware of.

  • Sorry, I realized mine is the different one.  We used the river dashboard mod to post updates on the dashboard.

    That probably is you're login page.  Where does it normally go after logging in?  I have to get going.  But I'll check back here on monday.  Sorry I couldn't help you right away.

  • The login page opens up to the dashboard page.  Thanks for your help.

    It now looks like the problem may lie with the elgg-dev mainpage plugin. I'll do some more research on that.