Solprovider Lenya Kongregate Registration for Free Flash Games and Chat with solprovider

Security - Member's Only Sections

This is a hack because Lenya 1.2.2 does not meet its own specifications:
Excerpt from http://lenya.apache.org:
Security: The access control allows you to restrict access to parts of your site to members of a group or individuals.

This may be possible, but it is not easy, and cannot be configured by the typical developer (meaning I could not figure it out, and my skills are advanced well beyond the typical developer.)

The devs say this has been fixed for 1.4, which is in beta and should be ready for production in early 2006.

Specifications

This protects sections (defined by the URLs/filepaths) of a publication based on the standard Lenya Groups. Each protection extends to lower sections. An section is defined by the beginning of the URL after "lenya/pubname/live". The top section (homepage) should not be protected; it must provide a method for login.

Complicated Example

Protection:
/managementrequires "manager" Group
/employeerequires "employee" Group
/employee/developrequires "developer" Group
/specialnotice.htmlrequires "employee" Group

Results:
/ (homepage)available to everybody.
/buyfromus.htmlavailable to everybody.
/management.htmlonly available to "manager" Group
/management/financialreport.htmlonly available to "manager" Group
/employee.htmlonly available to "employee" Group
/employee/benefits.htmlonly available to "employee" Group
/employee/developers.htmlonly available to visitors in "employee" and "developer" Groups
/employee/developers/projects.htmlonly available to visitors in "employee" and "developer" Groups
/employee/development.htmlonly available to visitors in "employee" and "developer" Groups
/employee/development/guidelines.html only available to visitors in "employee" and "developer" groups
/specialnotice.html only available to "employee" group
/specialnotice/archive.htmlavailable to everybody, but does not appear on menus since parent does not.

Requirements

1. Hide contents of page if accessed without proper authorization.
2. Hide page from menu if accessed without proper authorization.
3. Remove page from Search.

NOTE: These instructions only protect one section: "/employee" requires the "employee" group. The Search code allows more sections to be easily added. The XSL template for menu protection can be easily repeated to protect more sections. Sorry. Hiding the contents of many protected sections using XSL requires work.


First, fix Lenya's caching. Security does not work when the first page generated is served to all visitors.

Security using XMAP


This is a good method if you are able to add a match to your pipeline. It can easily test if a visitor is logged in or not logged in.
<map:select type="parameter">
<map:parameter name="parameter-selector-test" value="{access-control:user-id}"/>
<map:when test=""><map:call resource="deny"/></map:when> <!-- Not logged in -->
<map:when test="solprovider"><map:call resource="allow"/></map:when> <!-- Specific user -->
<map:otherwise><map:call resource="deny"/></map:otherwise> <!-- Logged in -->
</map:select>


You could also use {access-control:role-ids}. This requires adding new Roles, because the default is for all documents to return "visit". See variables for information about testing variables.

Security using XSL


NOTE: There is some confusion in the code between "Roles" and "Groups". The code was originally planned to use "Roles". This proved difficult, so the code was changed to use "Groups". All references to Roles refer to Groups. REPEAT: Roles are not used anywhere, although some variables are names "Roles".

Setup

This adds the visitor's Groups to the XML being processed:

FILE: {pub}\lenya\content\ac\login.xsp
Download

FILE: {pub}\publication-sitemap.xmap
...
<map:match pattern="lenyabody-*/*/*/*/**">
<map:aggregate element="cmsbody">
<!-- ADD THIS LINE -->
<map:part type="serverpages" src="{fallback:content/ac/login.xsp}"/>

Hide contents of page if accessed without proper authorization

FILE: {pub}/xslt/page2xhtml.xsl
Keep this file open because it is also modified in the next step.
After
<xsl:param name="url"/>
But before:
<xsl:template match="cmsbody|page:page">
Add:
<xsl:variable name="isEmployee">
<xsl:choose>
<xsl:when test="cmsbody/page/body/login[role = 'employee']">1</xsl:when>
<xsl:otherwise>0</xsl:otherwise>
</xsl:choose>
</xsl:variable>


Replace:
<xsl:apply-templates select="xhtml:div[@id = 'body']"/>

With:
<xsl:choose>
<xsl:when test="starts-with($url, 'employee')">
<xsl:choose>
<xsl:when test="$isEmployee != '0'">
<xsl:apply-templates select="xhtml:div[@id = 'body']"/>
<xsl:apply-templates select="div[@id = 'body']"/>
<div class="body">
<xsl:apply-templates select="page/content"/>
</div>
</xsl:when>
<xsl:otherwise>
<A HREF="{$root}/index_{$language}.html?lenya.usecase=session&amp;lenya.step=showscreen"><i18n:text>You must be an employee to see this page. Please login.</i18n:text></A>
</xsl:otherwise>
</xsl:choose>
</xsl:when>
<xsl:otherwise>
<xsl:apply-templates select="xhtml:div[@id = 'body']"/>
<xsl:apply-templates select="div[@id = 'body']"/>
<div class="body">
<xsl:apply-templates select="page/content"/>
</div>
</xsl:otherwise>
</xsl:choose>

Hide page from menu if accessed without proper authorization.

FILE: lenya\xslt\navigation\menu.xsl
Download
WARNING: The DIV IDs were changed to make extending the number of levels on the menu easier. Lenya's default requires CSS to be added for every level. It is possible to use XSL to change this back to the default, but is much easier if every level of the menu uses the same CSS.

FILE: {pub}/xslt/page2xhtml.xsl
Near the bottom, but just before:
<xsl:template match="@*|node()" priority="-1">
Add:
<!-- Remove Employee Menu if not Employee -->
<xsl:template match="*[@id = 'employee']" priority="2">
<xsl:if test="$isEmployee = '1'">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:if>
</xsl:template>

Remove page from Search

See Search for instructions. The "employee" example is included, and other sections can easily be added.

Testing


If there are any problems, add the following to your publication-sitemap.xmap to make certain the login is noticed:
<!-- TEST login.xsp -->
<map:match pattern="**/*.id">
<map:generate type="serverpages" src="{fallback:content/ac/login.xsp}" />
<map:serialize type="xml" />
</map:match>


In your browser, change the extension of any page to ".id":
http://yourServer/pub/live/index_en.id

If it worked, an logged-in visitor in an "employee" Group should have the line:
<role>employee</role>

(Yes, there is some confusion in the tag names because I started to use Roles, then switched to Groups. The <role> tags should be the Group names.)

How to improve Lenya

Lenya needs to add (or re-add) these abilities. The configuration should be handled by one file (probably sitetree.xml) which is configurable using the CMS GUI. Search can read in the file and convert it to its internal format. The content protection should be handled by the sitemaps (XMAPs); there are references to "auth-protect" suggesting this existed but was lost. Controlling the menus requires more work, probable converting map.xsl to map.xsp. I believe it should be Lenya's highest priority to regain functionality listed on their homepage and every press release. REPEAT: The devs say this has been fixed for 1.4, whichis in beta and should be ready for production in early 2006.

<< Sitemaps & QueryStringsAggregate Directories >>

Contact Solprovider
Paul Ercolino