![[n] Template Security](/community/data/resource_icons/5/5024.jpg?1454007391){kind=icon}
- Compatible XF 1.x versions
- 1.0
- 1.1
- 1.2
- 1.3
- 1.4
- 1.5
- License
- Apache 2.0 License
- Visible branding
- No
Enhance the security on your site using this very basic add-on. There has been a surprising increase in malicious attacks to XenForo sites through injection of malicious code into your templates. Limiting the access of all templates to yourself and a small handful may not always be a possibility, so this add-on allows you to limit certain templates to certain users, reducing vulnerability to key templates like login handlers, page_container, change password pages, etc. in case a staff account is compromised.
Features:
Installation
Usage
By default, any administrator with normal template editing permissions will be able to edit templates. Templates must be restricted, if you wish to restrict them. To do this, add this line to xf_root/library/config.php:
e.g.
(you may use this code if you wish, it restricts the templates were raw passwords are embedded).
Change '1' to the user IDs of the users you want to be able to edit this template.
Please enter all template names in the case they are, so page_container will not work, as it is PAGE_CONTAINER (it is capitalised), whilst helper_login_form is all lowercase, so a mixed case or uppercase will not work. Please ensure the capitalisation of the template is correct.
In the features we mention that only super admins can disable this add-on. There is little purpose if a normal administrator can disable this add-on and circumvent the restriction. So, to disable this add-on, you must be a super admin. This isn't a super admin exclusive to this add-on, we just use XenForo's default super admin system for this, defined by:
in the same file.
Open source
This add-on is open source, licensed under the Apache 2.0 License. Repository: https://github.com/nanocodeio/template-security
Note that support and updates are not provided for this add-on. If you need support, please reply to the thread. If you find a bug in the add-on, please open an issue on the repository linked. We appreciate all contributions to the add-on, and if you're able to make the changes yourself we'd appreciate it if you'd PR the changes back into the repository for the use of others.
Features:
- Limit access to certain templates
- Be able to give normal template access to administrators, and only be able to block certain templates rather than revoke all access
- Securely limit templates through your library/config.php file, which means this cannot be affected by any web user - this must be done through the files
- Ensure that normal administrators cannot disable this add-on - you must be a super admin (as defined in config.php) to disable this add-on
- Send alerts to super admins on attempt of modifying a protected template (possibly be able to see account compromise/suspicious activity)
- Prevent circumvention of this system - the add-on also checks template modifications
Installation
- Unzip aTemplateSecurity-{version}.zip
- Upload the contents of the upload directory to your XenForo installation
- Install the add-on by the following method:
Admin CP -> Add-ons -> Install Add-on ->
Install from uploaded file:
Upload addon-aUserProfileProgress.xml
OR
Install from file on server:
install/data/addon-aTemplateSecurity.xml - The add-on should now install, and a short rebuilding process should occur. Once done, the installation has been successful!
Usage
By default, any administrator with normal template editing permissions will be able to edit templates. Templates must be restricted, if you wish to restrict them. To do this, add this line to xf_root/library/config.php:
Code:
$config['template_security']['template_name'] = '1';
Code:
$config['template_security']['helper_login_form'] = '1';
$config['template_security']['PAGE_CONTAINER'] = '1';
$config['template_security']['account_security'] = '1';
$config['template_security']['login_bar_form'] = '1';Change '1' to the user IDs of the users you want to be able to edit this template.
Please enter all template names in the case they are, so page_container will not work, as it is PAGE_CONTAINER (it is capitalised), whilst helper_login_form is all lowercase, so a mixed case or uppercase will not work. Please ensure the capitalisation of the template is correct.
In the features we mention that only super admins can disable this add-on. There is little purpose if a normal administrator can disable this add-on and circumvent the restriction. So, to disable this add-on, you must be a super admin. This isn't a super admin exclusive to this add-on, we just use XenForo's default super admin system for this, defined by:
Code:
$config['superAdmins'] = '1';Open source
This add-on is open source, licensed under the Apache 2.0 License. Repository: https://github.com/nanocodeio/template-security
Note that support and updates are not provided for this add-on. If you need support, please reply to the thread. If you find a bug in the add-on, please open an issue on the repository linked. We appreciate all contributions to the add-on, and if you're able to make the changes yourself we'd appreciate it if you'd PR the changes back into the repository for the use of others.
