Virtuemart only for registered users

[steve10001]

Hi all,

Is it possible to make virtuemart only accessable to registered users BUT having the Shop menu shown in the webpage menu

i.e.
an unregistered user can see "shop" in joomla`s main menu, but once they click on this item they`re forced to either login or register BEFORE they have access to the shop..

Thanx in advance for any replies

p.s. there are a huge amount of unanswered posts here asking the same question, the ones that have been answered seem to just trail off with no real solution :-(

[MikeUK]

Hi there

The only way I can think of doing this is to make the Shop button link to a customised login view (you can link a button to the standard login view), and this file modified to display login for users not registered, and the main shop page for users that are.

However, that wouldn't stop users accessing other pages directly if the know the url. This may have already been mentioned in the other threads. I recommend giving a summary of anything suggested or tried that may go someway to doing what you need.

[rb]

Perhaps you could combine Mike's suggestion along with changes to VirtueMart permissions.  For instance, under Admin->List Modules, you could change permissions for "shop" to be "admin", "storeadmin" and "shopper" (not "none") and then users would need to be logged on to view other pages, even if they know the URL.  Un-logged-on users could still get to "Forgot Password" and "Lost Username".  There's an issue getting to "Register", but if that's the only problem, that could be addressed with a hack.
Thoughts anyone?

[Bob Weaver]

I had this same issue with my site. I charge an annual membership fee to get into the site because it is a product review site. Users can't access any of the VirtueMart section until they register and buy a membership using AEC Subscription Manager, and then log in. However, I discovered that somehow Google's bot was able to get past that, and indexed every product and page on my site. Probably some of the other search engines also have, but I haven't looked around yet.

If a person finds the page in Google and clicks on the "Cached" link they get the full page with content that they should not see. However, anyone can still get the URL to the product page through Google and then go directly to the product's page in VirtueMart, without logging in to Joomla. When they do that they are able to see the text, as well as photos and video that they are forbidden to see unless they are a paid subscriber. Thus, they could basically use Google as the search mechanism for my VirtueMart installation, and get the information without ever buying a membership.

To fix this for now, I used rb's suggestion above, and set the permissions for "shop" to be "admin", "storeadmin" and "shopper" only.  I did not implement MikeUK's suggestion to modify the Shop button link. After changing those permissions, if someone now searches for a product on Google and gets the URL to the product page, and clicks on that link, they do come to my site but instead of the product info they see the message, "Error: You do not have permission to access the requested module" along with a login form.

This has solved the problem for now of unregistered guests gaining access to the catalog. However it seems to me like only a partial solution. The subscription component I am using to charge subscriptions is "AEC Subscription Manager" and it asks the new visitor to register first then sells them the subscription. If they register a username but then don't buy the subscription, they still show up in the Joomla user list as a registered member and they appear on the VirtueMart user list as well. It still seems like there is a hole that they can get in with.

To combat this, I have to check every day for users that registered a username but did not buy the subscription, and then delete those users. When I was first trying to solve this problem, I was looking around in the general configuration settings for VirtueMart for a simple switch that would turn off VirtueMart completely for any user that is not logged in to Joomla. If this feature was implemented it would make it a little easier to prevent "outsiders" or "crashers" from gaining access to the content within VirtueMart.

Thank you for the suggestions provided in this thread.

[MikeUK]

Interesting.... I think rb's suggestion is the important bit here. In your case, everyone who is 'shopper' should also be a subscriber, right?

If so, seems to me the real issue is the way AEC deals with its part. I guess there is a reason why a user is registered first before subscribing, although I don't quite see the logic. Do I preseme then that with AEC, the only difference between a paid and non-paid member is in the AEC database table?

[rb]

Bob, I believe you may be able to solve your issue by having someone familiar with AEC's "MictroIntegration API" make these changes:

1. When a new user registers, have their VM permissions be set to "demo" instead of the existing default permissions of "shopper".  Users with VM permissions of "demo" are still blocked from the shop's content per the above permissions change.

2. When AEC confirms the subscription, have AEC change the permissions from "demo" to "shopper".

I believe that these can be performed via AEC's "MicroIntegration API".  They state that there is an existing VirtueMart MicroIntegration, so that module would need to be modified.  Specifically, it needs to modify the field named "perms" in the VM database table "jos_vm_user_info".

If by chance the AEC VM MicroIntegration uses the VM function ps_shopper::add, then step #1 above merely requires changing "shopper" to "demo" in line 364 of the file /administrator/components/com_virtuemart/classes/ps_shopper.php.


Update: Don't modify ps_shopper.php.  Instead, you can perform step 1 by modifying the AEC file:
/components/com_acctexp_0_12_6/micro_integration/mi_virtuemart.php
Change line 155 from:

Code: [Select]

. ' VALUES(\'' . $inum . '\', \'' . $metaUser->userid . '\', \'BT\', \'' . $lastname . '\', \'' . $firstname . '\', \'' . $middlename . '\', \'' . $metaUser->cmsUser->email . '\', \'' . time() . '\', \'' . time() . '\', \'shopper\', \'Checking\')'to

Code: [Select]

. ' VALUES(\'' . $inum . '\', \'' . $metaUser->userid . '\', \'BT\', \'' . $lastname . '\', \'' . $firstname . '\', \'' . $middlename . '\', \'' . $metaUser->cmsUser->email . '\', \'' . time() . '\', \'' . time() . '\', \'demo\', \'Checking\')'
I'm not familiar enough with AEC to figure out where to do step 2.  Do not do step 1 only - you must do both or neither.

[Bob Weaver]

Thanks to both of you for the replies. I will look into the microintegration of AEC and VirtueMart and see if I can make those changes. If so that would solve that problem and I wouldn't have to keep checking the user base. I'll also make a note of it on the AEC forum. I think AEC has them register first, saves that and then asks for payment, so that if they fail to pay and come back later it will remember them and ask them again for payment. AEC puts users who have registered but not paid in a "Manual" section rather than "Active" and then moves them to "Active" when they finally pay, but their Joomla user status is as a Registered user as soon as they merely register a username, password and email address, even if they haven't paid. That's how I understand it, but maybe there is more to AEC than I realized.

Ideally all registered and paid users automatically become shoppers in Virtuemart, and anonymous visitors, or registered users who have not paid do not get listed as anything in Virtuemart. It would be nice if there was a single method for dealng with users. As it is now there are 3 places I see lists of users: the Joomla user list, the AEC list and the VirtueMart list. Ideally they all match but sometimes there are discrepancies from one list to the others. It would be nice if these were all handled in a single user management area rather than being separate areas.

Another problem I have now is that all of my VirtueMart content is sitting in Google's servers now, and anyone could see it on Google alone, if they type in the right search strings. I don't think anyone is, but it's still possible and there are over 6,000 such pages. I'm hoping that the next time Google crawls my site, they will update all those pages to newer versions which either are not cached at all, or if they are, have the error/login message instead.

I added a line to my Joomla template index.php in the head area,  <meta name="robots" content="noarchive">

This tells any spiders or crawlers to index the page but not archive the full contents of the page, so the visitor to Google will not see a "Cached" link.

So now, <meta name="robots" content="noarchive"> is in the head of all pages, but I noticed that  <meta name="robots" content="index, follow" /> is also there in every page. I don't know where in Joomla that second meta tag is being produced but if I could find it I would delete it. I'm hoping that the "noarchive" tag will overrule the "index, follow" tag when Google does read the page.

It would be nice if VirtueMart included a simple form or field to add tags to pages as they are generated, so that I could just type in <meta name="robots" content="noarchive"> into that field, and product pages generated by VirtueMart would automatically have that tag included.