I'm currently using a PHPBB2 forum for a section of one of my sites, and I would like to extend this site (add new pages, scripts, etc). I would like to restrict access to these pages to the users already logged in the PHPBB2 Forum.
In fact, if only members of a certain MemberGroup could access these pages, that would be great.
Is there a way to use the same login credentials on the rest of my site, and to check out which groups the members are from?
Thanks
(by the way, these pages are in PHP)
Use PHPBB2's user table and it's login and permissions code in the other pages. It's dirty but it works.
By using PHPBB2's code, I mean:
Dig into PHPBB2's code, figure out how PHPBB2 authenticates users, and copy the relevant chunks of code. If PHPBB2 is decently structured, you may be able to just include a couple of files from within PHPBB2 and use them without a major hack job. If it's not nicely structured, it's going to be dirty and ugly.
Don't forgot to test your new secured additions to your website! Make sure that you get the hacks right.
If a user is logged into PHPBB, there's a good chance, though not always likely, that they will then have a cookie that you can read and help with checking who's who against the database.
In this case, you'll want to break the crumbs of the cookie below:
$_COOKIE["phpbb2mysql_data"]
Let's use an example and blow it out to find the data we need to query against the database. Below is the chunk found in the above cookie:
a:2:{s:11:"autologinid";s:0:"";s:6:"userid";s:1:"3";}
For this, you'll want to go in and extract that "3" which happens to correspond to the logged in PHPBB user.
Unserialize that data to yank that user_id out:
$goo = unserialize($_COOKIE["phpbb2mysql_data"]);
$extracted_id = $goo["userid"];
(Thanks to epochwolf on pointing out the above serialized form of that cookie)
That number will be good to run against the database to check out which group the member belongs to. And you would run the check against the phpbb_user_group table (if you had phpbb_ as the prefix of your forum tables.)
If you didn't want to keep track of the group IDs from the database, then you will need to do some kind of join and test against the name. Maybe something like this:
SELECT pug.user_id FROM phpbb_user_group pug
LEFT JOIN phpbb_groups g
ON pug.group_id=g.group_id
WHERE pug.user_id='$extracted_id'
AND g.group_name='Foo';
If you can pull a row out of that, then you've found yourself a logged in user who belongs to that Foo group.
You can use phpBB 2's user and group tables directly. As I recall, the password column is just an md5() of the actual password.
This trick no longer works in phpBB3, as the password is (finally) salted.