How to secure external php files with Moodle

How to secure external php files with Moodle

by koen roggemans -
Number of replies: 7
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Translators
Finally running on a roles aware Moodle, but

The users of our courseID 239 have a special feature. From within that course, they can access information on pages located outside Moodle. To ensure the security of those pages, we protect them using the moodle-security. On top of each external php-page, we incorporate following lines:
if (isset($USER->loggedin)
and ($USER->confirmed)
and ($USER->site == $CFG->wwroot)
and(!empty($USER->student[239])
|| !empty($USER->techer[239])
||!empty($USER->admin)))
{}
else
{die();}


Given the new 'capability'-context, this works no longer.
Anyone have a suggestion on how to rewrite these lines?
Average of ratings: -
In reply to koen roggemans

Re: How to secure external php files with Moodle

by koen roggemans -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Translators
Thanks to some helpfull hints from the Knight in shining armor', we got this far:

<?php

///gather what Moodle needs
include("../../../elo/config.php");

///check:
///search context: this is a course (context=[50]) with coursenumber 329

if($cm = get_context_instance(CONTEXT_COURSE,329)){echo 'OK';}else{echo 'NOT OK';};

///show something to check whether it works so far
print_object($cm);
print '<br/>';

///is it someone who has the right to be in this course?
if(has_capability('course_view',$cm->id)){echo 'OK';}else{echo 'NOT OK';};

///show something to check whether it works up to here
print $USER->email;

?>



It works for admin, but switching role to student makes it an (empty) downloadable file in FF.

What are we missing here?
Average of ratings: -
In reply to koen roggemans

Re: How to secure external php files with Moodle

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

/// Include all the Moodle world
include("../../../elo/config.php");

/// Make sure they can access this course!
require_login(329); // That's the course id

/// That's it! Continue as normal!
echo "Only course users can see this";

?>
Average of ratings: Useful (2)
In reply to Martin Dougiamas

Re: How to secure external php files with Moodle

by koen roggemans -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Translators
Thanks a lot Martin. Works perfect!

So easy: 2 lines and Moodle authentication on our pages cool
Average of ratings: -
In reply to Martin Dougiamas

Re: How to secure external php files with Moodle

by Jay Jennings -
That was a really cool "quickie" that really helped me out. But now I'm running into something really weird and maybe someone can shed some light on it (I hope I can explain what's happening without confusing everyone).

I had an external PHP page that I "wrapped" in Moodle by linking to it from insode a course. I chose to show it on the same page in a frame. By using the two-liner shown in this thread I was able to make it available when logged into Moodle, but not straight from the browser.

Then I did the same thing with a second utility and had no problems.

Then came unlucky #3 -- I did the same thing, added the two lines at the top, changed the ID number in the require_login line, and when I try it inside moodle it doesn't show my PHP page, it shows the login window in the lower frame.

And here's where it's kind of weird -- I can hit that same page with the browser (still logged into Moodle in another window) and the page works -- the $USER object is filled, etc.

But hitting that page from inside Moodle makes it think I'm not logged in -- I think because the $USER object isn't valid (or something similar).

Any clue on what might be going on?

Thanks.

Jay Jennings

Average of ratings: -
In reply to Jay Jennings

Re: How to secure external php files with Moodle

by Jay Jennings -
I solved my own problem -- and here's the solution in case someone runs into this problem in the future:

The URL I included in the course resource did NOT include the www part of the URL, but my web server adds that automatically. So Moodle was seeing a different URL than what I was telling it. When I changed the URL of the external page to include the www, everything worked.

Still seems a bit weird to me, but it works so I'm happy. =;)

Jay Jennings

Average of ratings: -
In reply to Martin Dougiamas

Re: How to secure external php files with Moodle

by Ger Tielemans -
But Martin, how save am I on that other page without cookies en session-ID's?
Average of ratings: -
In reply to Ger Tielemans

Re: How to secure external php files with Moodle

by Jan Dierckx -

Ger,

You are as safe as the code you use on that page. Cookies and session id's are included. That's what the first include statement is for.

Average of ratings: -