Recent Topics

1 May 20, 2010 17:51    

My b2evolution Version: Not Entered

I am thinking of using b2evolution for a law firm as a client base.

What i need is posts/pages (case) that only a specific user(client) can see, but can not edit, the edits and post creation will only be done by admin.

How do i do this ? via private post, or protected posts ? and how secure is it ?

2 May 20, 2010 17:58

Blog per client, protected posts, and then use perms would probably be easiest.

It's about as secure as other methods.

¥

3 May 21, 2010 07:00

why blog per client ? wouldnt posts/pages be enough? how about using workflow and assigning post ? what does that do exactly ?

4 May 25, 2010 15:46

All right, i am gonna go with blog per user [client] on this one..

as you get doubled security: seperate instances + protected posts..

But is it secure enough for a law firm ? I mean all these blogs will include confidential information about the clients of that law firm.. If anything goes wrong they'll sure sue my a** off...

So, any security advices ?

And how do i block search engines off the entire b2 installation? i dont want anything to be crawled by any search engines.

5 May 25, 2010 17:23

I'd use :
Blog per client
Protected blogs
Protected posts
Disable all rss
Disable all xmlrpc ( delete the folder or summat )
Robots.txt

Then it's as secure as their server.

If they're on any form of shared hosting or even a dedi box that isn't running suphp && doens't have ssh locked down to specific IP's && allows password authentication ( or even worse allows root login ) then they'd want to rethink their plan about storing confidential data online.

¥

6 May 25, 2010 20:46

¥åßßå wrote:

I'd use :
Blog per client
Protected blogs
Protected posts
Disable all rss
Disable all xmlrpc ( delete the folder or summat )
Robots.txt

Then it's as secure as their server.

If they're on any form of shared hosting or even a dedi box that isn't running suphp && doens't have ssh locked down to specific IP's && allows password authentication ( or even worse allows root login ) then they'd want to rethink their plan about storing confidential data online.

¥

great.. you wrapped it up very well.. cleared out many points..

i am already gonna use blog per client per your previous advice..

Can i make "protected post" default post status and disable the others ? In order to make sure every single post is protected ?

What is "protected blog" ?

Any pointers on how to disable all rss & all xmlrpc ?

And i will make sure robots.txt blocks every engine for sure.

7 May 26, 2010 09:37

Somewhere I had a plugin for protected blogs, it auto "edits" posts and changes published to protected as well.

In user settings you just need to untick everything except protected status which will work for non-admin users. If you're intending to use group per user then do the same for the group settings.

To disable xmlrpc delete the /xmlsrv/ folder

To disable rss, change your blog settings in admin && delete the relevant folders from your /skins/

Note : You can create an aggregate blog per lawyer as well so they can see all their clients "posts" in one area. DO NOT make any clients a member of an aggregate blog opr you'll hit a "feature" that you *really* don't want ;)

¥

8 May 26, 2010 09:52

¥åßßå wrote:

Note : You can create an aggregate blog per lawyer as well so they can see all their clients "posts" in one area. DO NOT make any clients a member of an aggregate blog opr you'll hit a "feature" that you *really* don't want ;)

¥

:D lol, exactly..

I thought creating a master aggregated blog for admin but there is no way to do it without entering the blog ID's one by one manually, is there ?

btw And i've added

<?php  if ($current_User->ID != $Blog->owner_user_ID)
die( 'stop..no permisson to go there!!' );
?>

just to make sure , but this time even the admin can not reach the blog :D

I want only the owner of the blog AND the admin to reach a particular blog.. so i did this

<?php  if ($current_User->ID != $Blog->owner_user_ID && $current_User->ID != 1)

is that correct ? and user->id != 1 is not very decent i guess isn't there sth like is_admin ?

9 May 26, 2010 09:59

if( !is_logged_in() || ( $current_User->ID != $Blog->owner_user_ID && $current_User->group_ID !=  1 ) )

You never know, it might just work ;)

¥

10 May 26, 2010 10:13

¥åßßå wrote:

if( !is_logged_in() || ( $current_User->ID != $Blog->owner_user_ID && $current_User->group_ID !=  1 ) )

You never know, it might just work ;)

¥

yeah that's better (: thanks..group id=1 might not be the best as id's are tricky but still, safer than user id..

btw about that aggregated blog thing.. there isn't really a way to aggregate all current and future blogs in one automatically is there ?

11 May 26, 2010 16:40

Don't quote me but "*" may work

¥

12 May 27, 2010 12:20

¥åßßå wrote:

Don't quote me but "*" may work

¥

well what do you know, it worked..wonder why it has never occured to me to take a wild guess to use an asterisk..Thank you (;

13 Jan 24, 2012 11:20

Will this hack work on version 4.1.2? And if yes which file do I hack? Thanks

14 Jan 24, 2012 13:24

If you mean that code snippet, then yes. It should work just fine in v4. The Protected Blog plugin may not work though.

15 Jan 24, 2012 14:14

Which file do I add this code snippet?

I am trying to get that a private post will be visible to both the admin and the post item owner. Any help will be appreciated.

16 Jan 24, 2012 14:27

It should go in index.php considering that you don't use (and delete) all other stub files. The only php files that you should keep in blog root are admin.php and index.php

17 Jan 24, 2012 18:05

I am sorry, but I am not sure what code exactly to add, where in index.php to add it. I am not using any other stub files

18 Jan 24, 2012 18:30

You should actually edit the file /inc/_blog_main.inc.php around the line 70 and add the second "if" statement.

$Blog = & $BlogCache->get_by_ID( $blog, false, false );
if( empty( $Blog ) )
{
	require $skins_path.'_404_blog_not_found.main.php'; // error & exit
	// EXIT.
}

if( !is_logged_in() || ( $current_User->ID != $Blog->owner_user_ID && $current_User->group_ID !=  1 ) )
{
    require $skins_path.'_404_blog_not_found.main.php'; // error & exit
	// EXIT.
}

The above code will only let logged in blog owners to view their blogs and posts. It also allows Administrators (group #1) to view any blogs. Make sure that you deleted all stub files I listed before.

19 Jan 24, 2012 18:52

Thanks Sam, really. I appreciate it.


Form is loading...