Restrict Content Access to Logged in Users with PHP

Restrict content access to logged in users with PHP

RewriteCond %{HTTP_COOKIE} !mysessioncookie=([^;]+)
RewriteRule .+\.(jpg|css|js) forbidden.html [R=403]

Restrict page access in wordpress based on the logged in user's email

I suggest you to check users against their user role instead of their email addresses.

You can use built-it user roles of Wordpress such as editor or you can create your customrole with this code.

Example codes given below should go to your child theme's functions.php or you can install Code Snippets plugin to inject the custom functions to your WP site.

// Add custom role
add_role("customrole", __( "Custom Role" ),array('read' => true));

You can then assign users that you want to give access to certain pages by changing their roles.

I prefer to use a shortcode to restrict a page to a certain role or roles.
You can use this code to create your custom shortcode. It will redirect users to 404 page who don't have access.

// Make a certain page available only to customrole users
function shortcode_restricted_page() {
    $current_user = wp_get_current_user();    
    $current_username = $current_user->user_login;
    $role = $current_user->roles[0];

    if ($role == 'customrole' || $role == 'administrator') {
        // Access granted to the page
        return;      
    }
    else {
        global $wp_query;
        $wp_query->set_404();
        status_header( 404 );
        get_template_part( 404 ); exit();
    }    
}
add_shortcode('restricted_page', 'shortcode_restricted_page');

You can now add [restricted_page]shotcode to any page's content to restrict that page easily.

What is the best practice for restricting specific pages to logged in users only in Codeigniter?

You've hit the nail on the head, but there's a slightly more efficient way to do it.

Extend the base controllers, one way (i believe originally outlined by Phil Sturgeon) but I'll summarise here:

See this article for a very indepth write up.

but in essence:

<?php
class MY_Controller extends Controller
{
    function __construct()
    {
        parent::Controller();
        if (! $this->session->userdata('first_name'))
        {
            redirect('login'); // the user is not logged in, redirect them!
        }
    }
}

so now if you want to restrict access, simply:

class Secret_page extends MY_Controller {

 // your logged in specific controller code
}

and the extended controller will automatically check if the user is logged in in the constructor.

as for how, I'd probably set the user_id as the value to check if its set, or perhaps a user "group" - then you can get user permissions and varying levels of access in your system.

hope this helps a little.

edit

Add this to application/config.php

/*
| -------------------------------------------------------------------
|  Native Auto-load
| -------------------------------------------------------------------
| 
| Nothing to do with cnfig/autoload.php, this allows PHP autoload to work
| for base controllers and some third-party libraries.
|
*/
function __autoload($class)
{
    if(strpos($class, 'CI_') !== 0)
    {
        @include_once( APPPATH . 'core/'. $class . EXT );
    }
}

As you are using CI 2.0, you will need to place the MY_Controllers inside Application/CORE rather than Libraries.

My Application/Core Looks a little like:

Admin_Controller.php
MY_Controller.php
Public_Controller.php

How can I restrict content (images, etc) until the user is signed in using PHP?

You can put these images in a different folder outside of the public_html (so nobody can access them). Then via script, if a user is logged in, you get the image file content and then change the header. If a user is not logged, you can display a random image or showing a default image.

for example, the public html folder is: /var/www
your image folder can be: /registered_user/images/

Then in your PHP script you can write:

<?php
if(!userLogged() || !isset($_GET['image'])) {
  header('Location: /');
  die();
}
$path = '/registered_user/images/';
$file = clean($_GET['image']); // you can create a clean function that only get valid character for files

$filename = $path . $file;
if(!file_exists($filename)) {
  $filename = '/var/www/images/bogus.jpg';
}
$imageInfo = getimagesize($filename);

header ('Content-length: ' . filesize($filename));
header ('Content-type: ' . $imageInfo['mime']);
readfile ($filename);

Then when you call the image you can use: <img src="/script.php?image=filename">

How do I protect a page only for logged users?

Every of your page should start with

session_start();

and you should not be using session_register( "variablename" ) as of PHP version 4.2, use

$_SESSION["variable"] = value;

so example page with is-logged-it checking would be:

<?php
session_start();
if($_SESSION["loggedIn"] != true) {
    echo("Access denied!");
    exit();
}
echo("Enter my lord!");
?>

and logging-in script:

<?php
    /*
        ... db stuff ...
    */

if( isset($user_info['url']) ) {
    $_SESSION["loggedIn"] = true;
    $_SESSION["username"] = $myusername;
    header('Location: ' . $user_info['url']); //Redirects to the supplied url from the DB
} else {
    header("Location: error.htm");
}
?>

Restrict PHP file if user is not logged in?

It's probably better to reverse the order that you do this, so you don't have to contain all of your code in a block, and you can kill your page if the user is not logged in.

session_start();

//empty does both of the checks you are doing at once
//check if user is logged in first
if(empty($_SESSION['user'])) {

    //give error and start redirection to login page
    //you may never see this `echo` because the redirect may happen too fast
    echo "Please log in first to see this page.";
    header('Location: index.php');

    //kill page because user is not logged in and is waiting for redirection
    die();
}

echo "Welcome to the member's area, " . $_SESSION['user'] . "!";

//more page code here

---

Related Topics