GetSimple Support Forum
Password Protect Plugin for GS - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: Plugins (http://get-simple.info/forums/forumdisplay.php?fid=13)
+--- Thread: Password Protect Plugin for GS (/showthread.php?tid=8144)

Pages: 1 2


Password Protect Plugin for GS - HelgeSverre - 2016-03-13

Password Protect
Password Protect let's GetSimple CMS users assign a password to their pages, a user can enter a password to gain access to the page.

A very simple plugin to use and is ideal for webmasters that need a quick and simple way to password restrict a page.

Screenshots

Page edit form
[Image: screenshot1.png]

Frontend view password prompt
[Image: screenshot2.png]

Download
Extend
GitHub


RE: Password Protect Plugin for GS - Charpy1 - 2016-03-13

Great idea!

I did a french lang file (http://get-simple.info/extend/plugin-language/french-language-for-password-protect-plugin/1023/ ), you may include it if you want.

Hmmm.. You are saving the password in clear text, aren't you?


RE: Password Protect Plugin for GS - Bigin - 2016-03-14

You should never keep unhashed passwords in database/files

instead of
Code:
$note->addCData($password);

at very least use:
Code:
$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);

addCData not required in this case.

Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php

regards


RE: Password Protect Plugin for GS - HelgeSverre - 2016-03-14

(2016-03-14, 00:36:43)Bigin Wrote: You should never keep unhashed passwords in database/files

instead of



Code:
$note->addCData($password);

at very least use:



Code:
$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);

addCData not required in this case.

Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php

regards


Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
  • The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
  • It is only view-able to admins.
  • If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
  • The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.

(2016-03-13, 23:31:18)Charpy1 Wrote: Great idea!

I did a french lang file (http://get-simple.info/extend/plugin-language/french-language-for-password-protect-plugin/1023/ ), you may include it if you want.

Hmmm.. You are saving the password in clear text, aren't you?

Thanks!
I have included the translation in GitHub, will put it out into extend soon.


RE: Password Protect Plugin for GS - Bigin - 2016-03-14

(2016-03-14, 04:53:44)HelgeSverre Wrote: Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
  • The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
  • It is only view-able to admins.
  • If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
  • The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.

I do not see any reason why you would want to store the password in plain text, it's definitely not correct!


RE: Password Protect Plugin for GS - HelgeSverre - 2016-03-14

(2016-03-14, 05:25:35)Bigin Wrote:
(2016-03-14, 04:53:44)HelgeSverre Wrote: Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:

  • The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
  • It is only view-able to admins.
  • If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
  • The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
However, feel free to come up with an alternative solution.

I do not see any reason why you would want to store the password in plain text, it's definitely not correct!

You are free to use another plugin or create your own in that case.


RE: Password Protect Plugin for GS - Charpy1 - 2016-03-14

Please don't take it that way.. You shouldn't be offensed, and every here is thankfull to you for contributing to GS with this plugin.

You also have to consider that if you share your plugin, other may not have the same needs that you have. Security isn't a small issue, for both integrity of the GS websites and the GS reputation.

I think that for such a plugin, both password AND page content has to be stored hashed, with salt, AES1024 and everything! I don't have enough skills to improve it by myself, however.


RE: Password Protect Plugin for GS - shawn_a - 2016-03-14

I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature also for sharing.


RE: Password Protect Plugin for GS - HelgeSverre - 2016-03-14

(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario. Visible password is a feature  also for sharing.

Yup, was what I thought as well.


RE: Password Protect Plugin for GS - Charpy1 - 2016-03-14

You made a point. But you can't assume that the page content isn't some vital informations, so.. hmm.
Well, it's also possible to make password encryption an option, I guess...?


RE: Password Protect Plugin for GS - Bigin - 2016-03-14

(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.

The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"

(2016-03-14, 07:22:44)shawn_a Wrote: Visible password is a feature  also for sharing.

Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request Smile


RE: Password Protect Plugin for GS - HelgeSverre - 2016-03-14

(2016-03-14, 18:17:27)Bigin Wrote:
(2016-03-14, 07:22:44)shawn_a Wrote: I think it is fine, it does not gain an attacker any priviledge escalation, viewing a page does not really constitute a high security scenario.

The same: that is no reason to store password in plain text.
The most people want to remember their password, so they use the same password everywhere at admin and front-end email etc. I do know people that accidentally deleted or have not uploaded important files like .htaccess, so that the xml files were accessible in a browser by DIRECT URL ACCESS like „www.website.com/data/pages/welcome_here_is_my_pass.html"


(2016-03-14, 07:22:44)shawn_a Wrote: Visible password is a feature  also for sharing.

Yes, maybe in the old days (10 years ago), just like sending a new password in plaintext by email, on request Smile

I said no.


RE: Password Protect Plugin for GS - carpman - 2016-03-20

Very useful.
Thank you!

C.


RE: Password Protect Plugin for GS - nicolap - 2016-04-04

Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks

Nico


RE: Password Protect Plugin for GS - nicolap - 2016-04-05

[attachment=679]
(2016-04-04, 23:55:06)nicolap Wrote: Hi there,
I've just installed the plugin but it makes my website blank...
No panic, just delete the php file under "plugins" and the folder and the website come back.
I've tried a couple of times, always the same result.
Am I missing something?
thanks

Nico

actually it makes me install it, but then it gives me error and the plugin gets automatically disabled; and afterwards the website get empty.


RE: Password Protect Plugin for GS - shawn_a - 2016-04-05

turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.


RE: Password Protect Plugin for GS - HelgeSverre - 2016-04-05

(2016-04-05, 06:37:49)shawn_a Wrote: turn debug on or check your error log in data/other/logs/ it sounds like a php error in the plugin.

Thanks, Will check it out when I have a spare moment.


RE: Password Protect Plugin for GS - nicolap - 2016-04-07

I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.

thanks for a hint

Nicola

http://www.lamossa.net


RE: Password Protect Plugin for GS - HelgeSverre - 2016-04-07

(2016-04-07, 05:56:59)nicolap Wrote: I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.

thanks for a hint

Nicola

http://www.lamossa.net

What web host are you using?


RE: Password Protect Plugin for GS - nicolap - 2016-04-07

(2016-04-07, 22:32:04)HelgeSverre Wrote:
(2016-04-07, 05:56:59)nicolap Wrote: I've also tried with another connection (home), bu when I activate I get the error message again and the website gets blank.
After this action the log folder keeps being empty, by the way.

thanks for a hint

Nicola

http://www.lamossa.net

What web host are you using?

lamossa.net is under F5 BIG-IP APACHE hosted by OVH
I've also tried the plugin at lamichetta.it, that is under LINUX APACHE hosted by ARUBA
same result, the website gets blank.
I've tried this from my company network and from home with a private connection

Is it the first time you hear of such a bug...?

thanks


RE: Password Protect Plugin for GS - shawn_a - 2016-04-08

Might be php version problem the error log will say a fatal error if you have white screen of death


RE: Password Protect Plugin for GS - HelgeSverre - 2016-04-11

Do you know which PHP version you are running on, I used a short array declaration "[]" in the plugin, if your PHP version doesn't support that it could possibly cause the errors you are having.


RE: Password Protect Plugin for GS - mengi - 2016-04-15

I am receiving the same thing. I activate the plugin and site goes blank.

Turned on debugging and got this:

Code:
Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56


Running PHP 5.3


RE: Password Protect Plugin for GS - HelgeSverre - 2016-04-21

(2016-04-15, 12:33:54)mengi Wrote: I am receiving the same thing. I activate the plugin and site goes blank.

Turned on debugging and got this:


Code:
Parse error: syntax error, unexpected '[' in /plugins/password_protect.php on line 56


Running PHP 5.3


This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".

Upgrade your PHP version.


RE: Password Protect Plugin for GS - Carlos - 2016-04-21

(2016-04-21, 18:33:02)HelgeSverre Wrote: This is because your PHP version is too old to understand shorthand arrray syntax "$variable = [];".

Upgrade your PHP version.

If you just changed that line to $html = array(); your plugin would be compatible with PHP 5.2, which, by the way, is the minimum required by GS.
There are many many hosts using PHP 5.3 (and quite a lot with 5.2)