Security Challenges in Drupal 7 - security

I have mainly two security concern in Drupal 7.
When user enter http://sitename/node then the user will be able to view all the nodes created in the site till date. In the site there are some content type which are viewable to all users on site and some are restricted to created users and shared users.How to stop users from viewing those nodes which they have not created. It will also be OK for me if user enter http:///node then "Page Not Found" displayed.
Similarly I have installed "URL Path Alias" module which substitute the URL with the title alias. Now when user enters http://sitename/node/260 where 260 is random number. This can be redirected to a valid page and user gets to know the [nid] of the content. hackers can use SQL Injection or another technique to delete the content from generic [node] table. How to restrict such hacking in the site.
Please let me know your views.

pay a visit to drupal permission page # /admin/people/permissions.
Using roles and permissions you can set who can see what. knowing the URL is ok if you have defined your site roles and permissions in good safe way.
Pathauto module, or using drupal built in "URL Path Alias" is designed for SEO and simply making your URL look pretty.. it has no security impact ;)

Related

Hiding entire website to visitors on Kentico?

Is it possible to hide an entire website behind a log-in screen? Making the visitor login to see the content. I know there are plugins like this on Wordpress but I am unable to find something for Kentico.
Thanks,
Brian
Yes. At the root of the website (master page) select it. Then go to Properties>Security and in the Access section of that page, select yes for the "Requires authentication" attribute and save the page. This will force the user to the login page you have defined in your web.config OR in your Settings to authenticate first. This will be inherited by default through the rest of the child pages.

WordPress MU | Can current user edit this site options?

I am building a WordPress MU service, that allowing users to register sites and manage these sites only from front end via AJAX.
In main site, I have register a domain in the form of http://www.my-site.com/edit-site/55/ that display a form with the site options.
The problem is that the above method creates security issues, because some user may start change site ids at the end of the URL and reach the site options of other members.
So, is there a way to check if the current user has the right to update the options of the given site ?
Please refer this link,
https://codex.wordpress.org/Function_Reference/current_user_can
current_user_can() function will resolve your problem I think.

Can I have 2 two home pages (authenticated and anonymous) in Orchard CMS?

The "content" section in my "home page" should be a Sign In widget I built, but once signed in I want people to be sent to see a "content" zone that is something they're now permissioned to see. For both pages I want people to be able to just visit my URL without anything after the URL name. (i.e. www.xyz.com) and see different "content" zone whether signed in, or not.
The problem I am facing is that Orchard sets "Authenticated" and "Anonymous" as layers, but what you set on those layers has to be set for every single page on the site. But my "home page" has different stuff happening than other pages on my site.
Is there a way, I can set separate content sections of the home page (i.e. when people just type in the base URL of my site) for both Authenticated and Anonymous?
Thanks.
A URL should correspond to a resource. Having two different resources behind a single URL, with the GET verb, affects SEO negatively, among other nasty effects. One thing you can do however, is redirect your authenticated users, from your home page, to a separate URL.
If you still want to go ahead with this, you can define your own layers that combine the conditions for home and for authenticated: url('~/') and Authenticated and url('~/') and not Authenticated should do the trick.

Allow user when registered to browse to username.host.com

I am using Asp.net MVC3 and C# and IIS 7.5. I want that once user is registered he can browse my site using username.host.com and this username should be available to me in my URL so I can show the data related to that particular username only. All the logic is the same for all users. I don't want to do any fancy thing like if user1.host.com is entered then I want to redirect to a separate controller and action etc. All the application logic is the same for all users. I just want to change the way the url is shown in the browser.
Also, if possible I want this to work on localhost also in IIS/Cassini.
Eg: If I browse to jaggu.localhost:19883. It should send me to localhost:19883/Home/index/Jaggu (because by default Home is the controller and index is the method)
I am completely clueless on how to achieve this. Any help would be appreciated.
You may need a star A record, like *.host.com that points to your host.com site.
On your default page (or elsewhere via something like an IHttpModule) reroute the request to where you want the registered user to land.
Google: URL Rewriting for more information.

Static Main Page (login page) on Drupal Install

I am starting to create a site that uses Drupal. One of my requirements is that nobody will see any "real" content until they log in. The home page will basically be a static page with a logo, some basic "this is what the site does" copy, and then a login form. If you don't login, you can then only see some other static pages (faq, legal, privacy, etc...) but you can't use the actual site. Think Facebook's login page, basically just fluff with a login form.
From searching around, I have found 3 different methods for this:
Create a page that is basically separate from the Drupal installation, but then when the form submits, check it against the Drupal DB and then proceed if logged in successfully. This would be done with Apache, maybe an .htaccess file directive to change the first served page.
Use the Front Page extension. I haven't looked at this too extensively, has anyone used it? Pros/Cons?
Somehow finagle the default Druapl "Home Page" functionality to allow this to happen. I would rather not have to do this, unless someone knows that there is an easy way to do this.
One of my requirements is that nobody will see any "real" content until they log in.
There is a permission that users need have in order to access content on Drupal (access content); if anonymous users don't have that permission, then they would not be able to see any content.
Using the module you reported, you can create a different home page for anonymous users.
Solution #1 is not the ideal one as it requires more work for something that can be obtained from inside Drupal. Take in mind that the correct way to access Drupal DB is to use the DB API Drupal comes with.

Resources