Hello,

I've digged up the whole forum and I am surprised that no one else asked this question before ( so maybe I'm just stupid and I missed topics about it ? ) :

Is it possible to access Dp anonymously?
Obviously I know about guest access and permissions, but the problem is the authentification part.
We would like to give direct view of a project by giving a URL like http://******.net/dotproject_2_0/dotproject/index.php?m=projects&a=view&project_id=6, with a guest access, without need to authentificate.

Any idea?

Thank you in advance :P

Dig again here please:

http://www.dotproject.net/index.php?name=PNphpBB2&file=viewtopic&t=2447

Pedro A.

Thank you.

I've already seen his one but you still need to identify at least one time?Anyway it's better than nothing.

Thx again.

Actually it's quite easy to rip out the authentication (you just remove one if statement in index.php), but that will quite likely break all user related stuff (almost everything).

Hi again,

After seeing this I had the following idea:

1) Create a Bypass User: a bogus user for this kind of anonymous visiting
2) On line 140 of index.php (ver 2.0) right after the '$redirect = dPgetParam( $_REQUEST, 'redirect', '' );' type:

(!$username) ? $username = 'bogususername' : $username = $username;
(!$password) ? $password = 'boguspasswd' : $password = $password;

This will make sure we will get an history and all user vars ok

Now if you access dP normally, you still get the log in screen, but if you access it with:
http://localhost/dotproject/index.php?login=sql

You will get in, no questions asked with that bogus user activated.

What do you think cyberhorse?

Pedro A.

(!$username) ? $username = 'bogususername' : $username = $username;
(!$password) ? $password = 'boguspasswd' : $password = $password;


Any thoughts on breaking the authentication or allowing a bogus username to automatically log on through fileviewer.php? I tried the above suggestion but got an undefined error.

We have an external app that would be beneficial to be able to link to the files without having to log in.

1) Have you created the user?
2) Have you gave him a role?
3) Define undefined...

Pedro A.

User has been created and has access/roles.

http://host/fileviewer.php?file_id=1&login=sql


Fatal error: Call to undefined function: setconfig() in /htpath/fileviewer.php on line 60

And here's the snipplet from fileviewer.php:

$redirect = dPgetParam( $_REQUEST, 'redirect', '' );
(!$username) ? $username = 'test' : $username = $username;
(!$password) ? $password = 'test' : $password = $password;

I have this also in the index.php and that works fine when adding ?login=sql to the index.php.

I commented out line 60 of fileviewer.php to see what would happen and now the login works (as in I am sent to the Day View page logged in as my test user) but I get "X fileIdError"

//$AppUI->setConfig( $dPconfig );

Comment lines on fileviewer.php
Around line 60:
$AppUI->setConfig( $dPconfig );

Lines around 69, put the necessary user/pwd inside the '':
$username = dPgetParam( $_POST, 'username', 'bogususername' );
$password = dPgetParam( $_POST, 'password', 'boguspasswordd' );

Comment every line that says:
exit;

There are 3 of them

Comment line around line 83 (it is before one of the exit; ) that says:
header ( "Location: fileviewer.php?$redirect" );

After the line that says:
$file_id = isset($_GET['file_id']) ? $_GET['file_id'] : 0;

insert this code:
if (!$file_id && isset($_REQUEST['file_id']))
$file_id = $_REQUEST['file_id'];



It is ready.

now do a simple browsing:

http://yourserverhere/dotproject/fileviewer.php?login=sql&file_id=2

And you are downloading file nº 2, if you have permissions to that with your bogususer (if you don't you will be sent to jail, I mean the "you have no rights...")

Pedro A.

Nicely done. Works like a charm!

Thanks!

Yes it does in Firefox but not on IE.
I have to find a fix for those MIME headers...

Pedro A.

I just found this one out.

On file fileviewer.php around line 175 you have this block of code:

header("MIME-Version: 1.0");
header( "Content-length: {$file['file_size']}" );
header( "Content-type: {$file['file_type']}" );
header( "Content-transfer-encoding: 8bit");
header( "Content-disposition: inline; filename=\"{$file['file_name']}\"" );

You must change the last line to:

header( "Content-disposition: attachment; filename=\"{$file['file_name']}\"" );

and add an extra line:

header( "Cache-Control: public");

That's all.

Pedro A.

also look into the new rss patch - there is another example how to bypass authentication ...

Hi there, I am also working on stripping out the login part of dotproject recently, so users will not have to log into dotproject again after log into our main system.
I'm trying to set up session information externally, which files should I look for?

I tried to move this section in index.php
if (isset($_REQUEST['login'])) {
...
}
to another file expecting it to set up the $_SESSION['AppUI'] externaly but unfortunately dotProject doesn't like that.

-- Edit --
To bypass authentication I modified the CAppUI->login($username, $password) function, commented out the line to call $auth->authenticate($username, $password) and named it guestLogin($username). And it would not be difficult to call either
login and guestLogin under different conditions.
You will also have to set user_id explicitly for SQL Authentication, as its user_id is set up in its authenticate function.

Why don't you simply integrate the logins? It might be safer...

Why don't you simply integrate the logins? It might be safer...

Well in short I do want to integrate the logins, I just don't know exactly how to yet.
I searched and only find 2 posts discussing this issue(this is one of them).

If there is already a solution to do that, can you point it out for me?

Thanks in advance.

Hmmm... not an existing solution, but there is a PostNuke/dotProject module which does this, so it'd be a place to start disecting the code.

Thanks for the reply, I'll look into that PostNuke integration.

Just come up with another idea, How if I change following lines:
if (isset($_REQUEST['login'])) {

$username = dPgetParam( $_POST, 'username', '' );
$password = dPgetParam( $_POST, 'password', '' );
to something like:
if (isset($userAuthenticated)){

// $username = dPgetParam( $_POST, 'username', '' );
// $password = dPgetParam( $_POST, 'password', '' );

And put the user validation code of the main login system(If I can manage to strip that part out) some where prior to these lines and set up $userAuthenticated, $username and $password in case user is identified.

Would this generate some possible security problems? or any other problems?

Just a little thought.

Hi pedroa,

I got the bogus user thing working fine - thanks for the info.
What I would like to do is give my "bogus" users a direct URL to fill out a helpdesk form. Right now they can access.../dotproject/index.php?login=sql - but they then see the default page for all users (projects in my case) - I would like them to go straight to the helpdesk - new item form ../dotproject/index.php?m=helpdesk&a=addedit.

Any way you can think of to do this?

Hi there to you too :)

Two ways...

1) build the form independent and wrap the necessary API classes for it to work outside of the application...

2) change the default module to helpdesk, default submodule to addedit.
This way all users will be sent there and not only the bogus ones, the way to surpass this is to check the role and make the default page work in a customized way.

If you don't mind all users going to addedit of helpdesk on login select the 2nd choise without its final twist is easier, because that final twist is kinda complicated but doable.
The first choise is also somewhat complex but also doable.

Pedro A.

Thanks Pedroa,

I would like to do something like the second option, WITH the final twist. The reason is that I use DP primarily as a PM tool, so the majority of my registered users will need to login and see the project list as the default page.

With the bogus user, "Anon" I have created a role called "huser" (helpdesk user) with permissions to only view/access the helpdesk module. However, when I autologin this boguser, they see the project page by default (although they cannot see any projects in the list as they don't have permissions.)

So, I thought to do one of two things:-
1) As you suggest, do some fancy stuff with the roles so that we can change the default module on a per role basis - which might not be a bad feature to have in DP - similar to how you can change the theme on a per-user basis

2) Change the theme for the bogus user and make biiig clear links to the helpdesk forms hardcoded in the bogus user theme....)

I would prefer (my) option 1 since that will take them straight to the form. Could you advise how to change the default module for a role or an individual user please.

It involves changing two files:
1) classes/ui.class.php
This file serves the purpose of carrying data of the logged user throughout the application, so you need to add an extra property to CAppUI class to carry its role.
Then you need to store on this property the role upon login.

By now you should be able to know everytime and everywhere on the application what is the role of the user by pulling $AppUI->user_role (just an example)

2) index.php
This file is the center of it all, it calls everything up to render, so when these defaults are called you must inject your customized behavior, so where you see:

$m = $dPconfig['default_view_m'];
$def_a = !empty($dPconfig['default_view_a']) ? $dPconfig['default_view_a'] : $def_a;
$tab = $dPconfig['default_view_tab'];


You should taylor it to do something else in case the role is something specific.

Pedro A.

Pedroa,
I was just looking at the code again and wondering whether it would be possible to hardcode a redirect for my anonymous user. Currently my hack looks like:
$username = dPgetParam( $_POST, 'username', '' );
$password = dPgetParam( $_POST, 'password', '' );
$redirect = dPgetParam( $_REQUEST, 'redirect', '' );
$AppUI->setUserLocale();
//Jyoti Hacks for autologin of anon user
(!$username) ? $username = 'anon' : $username = $username;
(!$password) ? $password = 'Anon' : $password = $password;
//End Hack

Could we not put in an additional line starting (!$redirect = ......) and point this to the helpdesk module which I want just my anonymous users to see...
Just an idea because I realise that the long term solution is pretty time hungry....

Dig again here please:

http://www.dotproject.net/index.php?name=PNphpBB2&file=viewtopic&t=2447

Pedro A.
I tried to click that link... it says "PHPbb2" something not available. I'm trying to create a registration page and I can't.

That's because that link is older than my avatars beard, so Karen has already changed systems two times since then and I don't know where the heck that thing went.

Pedro A.

*smiles* funny. LOL.

Hello Pedora.

For some years you wrote a work around for Anonymous access (without authentification) in the fileviewer.php

"Comment lines on fileviewer.php
Around line 60:
$AppUI->setConfig( $dPconfig );

Lines around 69, put the necessary user/pwd inside the '':
$username = dPgetParam( $_POST, 'username', 'bogususername' );
$password = dPgetParam( $_POST, 'password', 'boguspasswordd' );

Comment every line that says:
exit;

There are 3 of them

Comment line around line 83 (it is before one of the exit; ) that says:
header ( "Location: fileviewer.php?$redirect" );

After the line that says:
$file_id = isset($_GET['file_id']) ? $_GET['file_id'] : 0;

insert this code:
if (!$file_id && isset($_REQUEST['file_id']))
$file_id = $_REQUEST['file_id'];



It is ready.

now do a simple browsing:

http://yourserverhere/dotproject/fileviewer.php?login=sql&file_id=2

And you are downloading file nº 2, if you have permissions to that with your bogususer (if you don't you will be sent to jail, I mean the "you have no rights...")

Pedro A."

No my question. Is it possible to put the variable login=sql in the fileviewer.php directly? So that it will be posible to view the document number 2 with this link:

http://yourserverhere/dotproject/fileviewer.php?file_id=2

Because we copy the link from dotproject and send this by mail without adding login=sql&

I don't know how i can do this.

thank you,
stefan