Jump to content

How to restrict ALL pages to logged in users only


Recommended Posts

Hi, I only want to use whmcs to manage existing users without letting anyone else view the site or place orders so I was looking for a way to hide ALL pages, (except the login page) from non-logged in users.

 

I've redirected all users to the login page using the option in general settings but there's nothing to stop someone from typing "/cart.php" onto the end of the domain name in the address bar and getting access to the order forms etc.

 

I've tried using an {if $loggedin || $templatefile == 'login'} before the main content part in header.tpl and an {/if} at the end of section in footer.tpl but that just gave me non-formatted pages even for logged in users.

 

The only way I can think of doing it is to put the {if $loggedin} at the start of every tpl page?

 

...does anyone have any ideas.

 

kind regards

Mark.

Link to comment
Share on other sites

hello Mark,

 

I think the best way to do this is using ActionHook to redirect who ever access your client area to login page.

 

below I wrote simple ActionHook function that will force anyone access your WHMCS client area to login before they can browse other pages in it, create new file in /includes/hooks/ directory, with the name "forceeveryonetologin.php" and put the following code inside it:

 

 

<?php
if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function hook_ForceEveryoneToLogin($vars) {

   $clientID = intval($_SESSION['uid']);

   if ($vars['filename']!="login" && $vars['filename']!="dologin" && $vars['filename']!="clientarea" && $clientID===0){
       header("Location: login.php");
       exit;
   }

}
add_hook("ClientAreaPage", 1, "hook_ForceEveryoneToLogin");

Link to comment
Share on other sites

nice solution sentq :idea:

 

it possibly might be useful to add another exception to your list - e.g the password reset link for those clients who have forgotten their password.

 

if ($vars['filename']!="login" && $vars['filename']!="dologin" && $vars['filename']!="clientarea" && $vars['filename']!="pwreset" && $clientID===0){

Link to comment
Share on other sites

thanks brian ;)

 

also we don't need to force Admin to login as client to browse client area, so lets improve it a little :D

 

<?php
if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function hook_ForceEveryoneToLogin($vars) {

   $clientID = intval($_SESSION['uid']);
   $adminID = intval($_SESSION['adminid']);

   if ($adminID===0){
       if (!in_array($vars['filename'], array("login","dologin","clientarea","pwreset") && $clientID===0){
           header("Location: login.php");
           exit;
       }
   }

}
add_hook("ClientAreaPage", 1, "hook_ForceEveryoneToLogin");

Link to comment
Share on other sites

That works perfectly, exactly what I wanted.

Thank you to both of you for taking the time to help me - it's really appreciated.

 

The third solution was throwing an error, an unexpected "{" which gave a server 500 error.

but I couldn't see an unmatched bracket so I used a mix of the solutions...

 

<?php
if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function hook_ForceEveryoneToLogin($vars) {

   $clientID = intval($_SESSION['uid']);
   $adminID = intval($_SESSION['adminid']);
   if ($adminID===0){
     if ($vars['filename']!="login" && $vars['filename']!="dologin" && $vars['filename']!="clientarea" && $clientID===0){
         header("Location: login.php");
         exit;
     }
   }
}
add_hook("ClientAreaPage", 1, "hook_ForceEveryoneToLogin");

 

...I didn't include the password reset clause as I've removed that button from the login screen anyway.

 

thanks again guys.

-Mark :-)

Link to comment
Share on other sites

the third solution was missing one of the ")", below is fixed ;)

 

<?php
if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function hook_ForceEveryoneToLogin($vars) {

   $clientID = intval($_SESSION['uid']);
   $adminID = intval($_SESSION['adminid']);

   if ($adminID===0){
       if (!in_array($vars['filename'], array("login","dologin","clientarea","pwreset")) && $clientID===0){
           header("Location: login.php");
           exit;
       }
   }

}
add_hook("ClientAreaPage", 1, "hook_ForceEveryoneToLogin");

Link to comment
Share on other sites

  • 1 year later...
5 hours ago, Andyucs said:

is there any way possible to exclude the register page in this mod

as if they are not a member they can not register

thanks in advance

Andy

 

sure:

<?php
if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function hook_ForceEveryoneToLogin($vars) {

   $clientID = intval($_SESSION['uid']);
   $adminID = intval($_SESSION['adminid']);

   if ($adminID===0){
       if (!in_array($vars['filename'], array("login","dologin","clientarea","pwreset", "register")) && $clientID===0){
           header("Location: login.php");
           exit;
       }
   }

}
add_hook("ClientAreaPage", 1, "hook_ForceEveryoneToLogin");

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated