Hi… I’m starting to use your extension but I’ve BIG security problem… in the source code I can view all the code in the page, texts that should be hidden instead are shown in the "view source code" of the browser.

I checked your demo/showcases and I found the same problem there too.
Even without login authentication, I can see the source code hidden.

Only the database's content is hidden… but this extension can protect the content in the pages or only content in the database?

Thanks.
Regards,
Michele

Hello Michele,

Is your question referring to some hidden region on your page?
Did you secure the datasets on your page? The extension secures the database results on your page and they cannot be viewed by inspecting the source.
If you don't want the users to be able to even inspect your page source you can just apply a redirect behavior that leads the not-logged in users to some login page.

So, "Security Provider" is a plugin for your extensions DB Connector and Updater?

Where is possible to found the redirect behavior that you suggest me? Is it included in the behaviors of Security Provider extension?


Anyhow, I think it's impossibile to include all the contents of a private area in a table of a database.

For example, in your demo, without login authentication I see this message in the browser's window:

"Please log in to proceed, The Administrator Back-end of this Content Management System is available only for registered users. Please Log in using a valid username and password."

... but, if I check the source code in the browser I can see the db configuration and the code that should be visible only after login, for example:

<section id="content" data-binding-show="{{$SECURITY.identity}}">
  <div class="container"> 
  <div class="row stats-row">
                <div class="span4 stat">
                    <div class="data">
                        <span class="number">2457</span>
                        visits
                    </div>
                    <span class="date">Today</span>
                </div>
                <div class="span4 stat">
                    <div class="data">
                        <span class="number">3240</span>
                        users
                    </div>
                    <span class="date">last week</span>
                </div>
                <div class="span4 stat last">
                    <div class="data">
                        <span class="number">$2,340</span>
                        sales
                    </div>
                    <span class="date">last 30 days</span>
                </div>
</div>   
    <div class="row">
      <div id="left-nav" class="span2">
        <ul class="nav nav-tabs nav-stacked">[*]<a href="javascript:void(0);">Dashboard <i class="fa fa-angle-double-right">[/i]</a>[/*]
              <li class="disabled"><a>Articles</a>[/*]
              <li class="disabled"><a>Tasks</a>[/*]
              <li class="disabled"><a>Messages</a>[/*][/list]
      </div>
      <div id="dashboard" class="span10">
        <h2 class="table-title">Orders[/h2]
        <table class="table table-hover">
          <thead>
            <tr>
              <th> ID</th>
              <th> Date </th>
              <th>Name</th>
              <th> Status </th>
            </tr>
          </thead>
          <tbody>
            <tr data-binding-repeat="{{Orders.data}}" data-binding-id="repeat2">
              <td><a href="#">#{{idsp_orders}}</a></td>
              <td> {{date}}</td>
              <td> <a href="#">{{name}}</a> </td>
              <td> <span class="{{status.contains( &quot;Pending&quot; ).then( &quot;label label-info&quot;, &quot;label label-success&quot; )}}">{{status}}</span></td>
            </tr>
          </tbody>
        </table>
        <hr/>
        <h2 class="table-title">Users[/h2]
        <table class="table table-hover">
          <thead>
            <tr>
              <th> Name</th>
              <th> Signed Up </th>
              <th>Total Spent</th>
              <th> Email </th>
            </tr>
          </thead>
          <tbody>
            <tr data-binding-repeat="{{Users.data}}" data-binding-id="repeat1">
              <td>[img]img/{{id}}.jpg" alt="avatar" class="img-circle" data-binding-src="img/{{id}}.jpg">
<a class="name" href="#">{{name}}</a></td>
              <td>{{signed}}</td>
              <td>{{spent.currency( "$", ".", ",", 2 )}}</td>
              <td><a href="#">{{email}}</a></td>
            </tr>
          </tbody>
        </table>
      </div>
    </div>
  </div>
</section>

For my curiosity, did you used Security Provider technology for your private area?
www.dmxzone.com/user/products

In this page, the security is good and I didn't see in the source code the structure of the private area and db configuration... the source code without login is different from that with authentication (as it should be for a guaranteed safety).

Hello,
On our demo the data is just there for design purposes -> static ui elements.
The extension is created to secure your database content and actions setup with the database Connector and Database Updater, the rest is jut data.show or data.hide attribute based on if you are logged in or not.
The behavior i am talking about is the DMXzone Security Provider Page Executor behavior as on this screenshot:

FULL SIZE HERE

Ok, thanks.

In the redirect page with the login is possibile after the authentication return back to the page start (the page where the user is arrived before that redirect moved to the login page)?



P.S. I hope to see in the next version of Security Provider a new "behavior" that allow to hide the body content (static and dynamic) when the user is not login.
For "static" I also intend the html structure... I don't think that a business company wants to show to unauthorized people the html structure of its private area (div, h1, img, class, id, etc.).

Hi Michele,

In next updates of the security provider we will also offer a full restriction of content on php pages.

Greetings,
George

Thanks George!!!

Hello... is available "full restriction of content on php pages" in the last 1.0.1 version or it's still "under construction"?

Thanks

Hello Michele,

This option is still 'under construction'.

I'm planning to release a website that need hidden code... is the feature requested in this post coming soon (this week) or the develop is still to start?

Thanks

Hello Michele,
This feature is still work in progress. You can use hidden regions + redirection for not-logged in user.

Will be this feature available in the next release?
Do you have a timetable about it?

Thanks

Hello,

Please update the extension - it includes the new feature "Page Security Enforcer" which does exactly what you need.

I just updated to the latest version and when I try to use the Security Enforcer I receive a script error... While executing onClick in dmxSecurityProviderEnforcer.htm, the following JavaScript error(s) occurred:

At line 174 of file "C;\Users\....\dmxSecurityProvider_lib.js":
str has no properties

I have tried removing and reloading the extension but get the same error every time. Any ideas???

There was a minor bug in the extension code, which pointed to a wrong location if you do not have the SEO Extension installed. Please download and install the extension again - this is now fixed.