RSS Import Cron URL for God Users Only

[mt2009]

Hi Guys,

How To block public access to my module.php?

Just by pointing to this adress on the url bar http://www.domain.com/module.php?module=rss_import_do_import everyone can run the import module even if we aren't logged in.

I think It's not a security problem but everyone can make our server uses high resources by using public cron service to run this url every 15 seconds..

So is there any solution to make this only accessible by localhost?


Thanks

[Yankidank]

Ok, your title was not a very good description so I am going to change that for you to make it describe your issue a little better. I also moved it to the proper forum.

If you want to block access to the RSS import cron page so that only a logged in users can view the page here are some instructions. But first I warn everyone that by doing this you will not be able to set up a cronjob script to automatically run the import script for you since it will need to be authenticated for it to work after this change.

Open: /modules/rss_import/rss_import_main.php

Find:

Code:

        // breadcrumbs and page title
        $navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel');
        $navwhere['link1'] = getmyurl('admin', '');
        $navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_RSSImport');
        $navwhere['link2'] = my_pligg_base . '/module.php?module=rss_import';
        $navwhere['text3'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_RSSImport_Feeds');
        $main_smarty->assign('navbar_where', $navwhere);
        $main_smarty->assign('posttitle', ' / ' . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_RSSImport'));
        
        // show the template
        if ($insideTpl == true){
        $main_smarty->assign('tpl_center', rss_import_tpl_path . 'import_fields_center');
        $main_smarty->display($template_dir . '/admin/admin.tpl');    
        } else {
            $main_smarty->display(rss_import_tpl_path_2 . 'import_fields_center.tpl');        
        }

Replace with:

Code:

        force_authentication();
        $canIhaveAccess = 0;
        $canIhaveAccess = $canIhaveAccess + checklevel('god');
        if($canIhaveAccess == 1)
        {    
            // breadcrumbs and page title
            $navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel');
            $navwhere['link1'] = getmyurl('admin', '');
            $navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_RSSImport');
            $navwhere['link2'] = my_pligg_base . '/module.php?module=rss_import';
            $navwhere['text3'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_RSSImport_Feeds');
            $main_smarty->assign('navbar_where', $navwhere);
            $main_smarty->assign('posttitle', ' / ' . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_RSSImport'));
            
            // show the template
            if ($insideTpl == true){
            $main_smarty->assign('tpl_center', rss_import_tpl_path . 'import_fields_center');
            $main_smarty->display($template_dir . '/admin/admin.tpl');    
            } else {
                $main_smarty->display(rss_import_tpl_path_2 . 'import_fields_center.tpl');        
            }
        }

[mt2009]

Hi Yankidank,

Thanks for your response...

BTW, is there no other way so the import.php/module.php can only be accessed by localhost? because i want to automate it using cron..

if i add these line in my htaccess, module.php can only be accesed by localhost others can't access it:

Code:

<Files ~ "module.php">
   Order allow,deny
   Deny from All
</Files>

but will it cause a problem for overall pligg script?


Thanks

[Yankidank]

I believe that would break most modules so normal users couldn't use modules.

[mt2009]

Hi Yankidank,

How about i change all the "override" url parameter to someting like "xdwaover" in import_fields_center.tpl
and delete the "run anyway" text & link so public don't know the link.

can this cause a problem for overall script too?

Thanks

[Yankidank]

Not sure if you are using the right part of the code, but that idea would probably work fine.

[BillyC]

edit: nvm, found the answer. sorry!