Security problems with drupal
berserk - May 16, 2007 - 13:18
Hello,
I am using Drupal 4.7.6 and Apache 2.2. Some of the contents I published contains an <iframe> to an .html page. This works good, but I have problems with security settings. For example, this is the address of my cms:
http://myhost/cms
This is a content:
This node basically contains "<iframe src=mypage.html>"
The problem is that I can visit "http://myhost/cms/mypage.html" inserting this path into the browser, without any need to log in into drupal. I want that if an anonymous user tries to access to mypage.html, he is redirected to http://myhost/cms for logging in.
Anyone has any ideas how to perform this? Is this to be achieved with Apache settings, or with Drupal settings? Or both?
Thanks a lot!
Misunderstanding
There are a few misconceptions in your post. Let's address them one at a time.
1) This is not a security issue as the term is generaly used; it is related to access control.
2) Your Apache server will always return files that are present without invoking Drupal. Drupal (like WordPress and other PHP based CMS systems) acts as a giant 404 handler. If you look in the .htaccess file that ships with Drupal you will see that if Apache cannot find the URI requested, it passes the request to Drupal's index.php file.
3) To apply Drupal's login system and access control, your external HTML pages should be published inside of Drupal rather than redirected from Drupal. Use the default node type "page" and set the Input format to "Full HTML" and then paste in your old code.
I also think parts of your details are missing. Use
<code>tags to insert code into your posts.--
http://ken.blufftontoday.com/
http://new.savannahnow.com/user/2
Search first, ask good questions later.
Yes, some parts have been
Yes, some parts have been removed from my post, however:
1) Yes, I think you are right.
2) That is true, but it is different. I am not interested in a page that doesn't exist. I am interested in the .html pages that exist, and cannot be accessed outside drupal. But I don't know how to achieve this goal...
3) I have already considered publishing the pages inside drupal. Unluckly, I have an authomatic program that every day generates different pages, and so I cannot insert them every time by hand.
I wish Apache would check if the drupal session is active. If it is not the case, he should redirect every page to the log-in...is such a thing possible?
I think so
I'm not sure that Apache can check the session. Can you modify the output script that generates the pages?
I've done something similar by having files output as .php files and inserting a .php include at the top of each that runs the access check. If it fails, users are directed to login.
You could also modify the output script to write data files to the server and then write an importer that converts them into Drupal pages.
--
http://ken.blufftontoday.com/
http://new.savannahnow.com/user/2
Search first, ask good questions later.
Protecting html pages within drupal
I can try to insert a php code at the beginning of my .html pages, but how can I check in php if a user is logged into drupal ?!?
Furthermore, I have tried some modules (Import HTML, wgHTML) but none of them works good.