Script in an Member-Only area

Is it possible to put a php file in a member only directory that becomes a link. I’m setting up a TSP for my client. It will transfer the logged in user to have access to their website area. I need to put the .php in a member directory and then link to that file to complete the process.

Right now, I have it in the theme directory and linking on a member only page. I tried the s2member file directory. The shortcode for a button link didn’t work. Even without the button, I couldn’t get the link to work.

I think you need to rewrite this as I’m not at all clear what you mean.

So sorry about that.

Here’s a video: https://app.screencast.com/y2OsyDhe9JpXa

So it looks like you want to read the contents of a file and put some part of that file into a button/link which takes the user to a third party site, presumably in a secure way. Is that right?

Yes. Like that. I am to link to the file that is a script that passes the member to the library. I believe it passes our approved IP enabling the members to read their files. So, the php file needs to be in a member only area. This way no person who is not a member can use our link to access their library.

1 Like

TBH this seems like a very insecure way to do this and I’d not do it that way. Especially if there is any sensitive information on either server. Sorry to be a Debbie Downer.

Personally I’d at least generate a secure token on the source site which can be checked on the destination site. Plus I’d use an actual button rather than a link, and one which triggers a form carrying this information via POST rather than a GET URI which is easily observed by a third party.

I’d be tempted to examine an OAUTH login system of some sort.

1 Like

It’s journals. So not highly secure information. This is the other party’s request and their TSP script. I’m just trying to fulfill it the task order.

I fully get what you’re saying, though.

ok but I’d do this. I’d encode the members User_ID and timestamp into an encrypted post variable on the buttons form. Then the destination login script can decrypt it, see if it contains those two variables and only allow access if it does.

Good luck tho :+1: Talking clients out of bad ideas is hard work sometimes :smile:

I get it but it isn’t their decision, so nothing to talk them out. It was either this or give the other party all the members’ user creds so they can login on that side. TSP was the better of the two options.

It appears that it is that the server IP being passed through. Which is why they login on our site and then click the link to go to the other site. I don’t think there’s anything security-wise that is an issue here. The server ID is being validated.

So, I still need to know how to add this file into a member-only folder and link to the file within a page. I have the page level 1 or above for viewing. I just need to figure out which folder to place this in and how to link to it without using a shortcode.

Appreciate your trying to help.

1 Like