Archive

Category Archives for "Access Control"
1

Approving Users Before Access Is Enabled

Problem

“Will DAP allow me to manually approve members before their new accounts are activated? The process should be…
a) new user signs up, DAP prompts that the account is pending approval
b) Admin approves the account manually and email is sent to new member with their password and login details”

Solution

Yes, this can be achieved by enabling the “Double Optin” for a product.

So, normally, when a DAP Product is made “Double Optin” by entering the double-optin subject and email text on the “Email Notifications” tab of the product, and a user signs up for this product (whether as a free sign up or as a paid purchase or Admin-add), DAP will send them the content of this double-optin email first.

And usually, the body of this email would contain the %%ACTIVATION_LINK%% merge tag, which would become the confirmation link that the user has to click on first, before their product access status becomes “Active” (from “Inactive”). And as soon as the user clicks on the confirmation link, their product status becomes active, and then the “Welcome Email” is sent out right away, and now the user can log in and start accessing the content that is protected as part of that product.

Using Double-Optin To Force Approval

If you make the DAP product as double-optin, and remove the merge-tag %%ACTIVATION_LINK%% from the email body, what happens is that the user/member will get the email, but there’s really no activation link (confirmation link) in the email for them to self-activate their account. So the email would just say something like…

“Thank you for your purchase/signup. Your account needs to be activated by us. So appreciate your patience while we do so”.

Now, their account remains at “Inactive” status. And only you, the DAP Admin, can activate it.

By now, you would’ve gotten the admin notification email for this person’s signup. So you know their email id. If not, you can just go to DAP > Users > Manage and you’ll see all inactive users.

You would then click on “Modify” to activate product access. And if the user status is also “Inactive”, then you would edit the user info, and change their status to “Active” (from “Unconfirmed”).

And then make sure you’ve added an autoresponder email (that contains the user’s email and password – insert mergecodes %%EMAIL_ID%% and %%PASSWORD%% into the email) to go out on Day #2 for that product.

And assuming you will be approving this new user at some point within the first 2 days, the autoresponder email for day #2 will get triggered within the hour as soon as you activate their account, and the user will get their welcome email.

Or you can send them the password in the double-optin email itself, but tell them that they won’t be able to log in just yet until their account is activated. It’s all up to you – DAP is as flexible as you need it to be.

So that’s how you would use the Double-Optin feature to indirectly force an “Approval” process.

5

Access Expiration Options

In DAP 4.7, we have added a new feature to the hourly dap cron where once every day (it’s hardcoded to run ONCE between 10:00 PM – 11:00 PM PDT) the cron will look for users whose access expired that day.

You can configure the Cancellation Options in DAP Products page -> Cancellation & Expiration tab.

Then based on these settings, the DAP Hourly Cron will check if the current time is between 10:00 – 11:00 pm PDT (Server time), and if yes, it will take a look at each product, pick up the ‘Expiration Action’ setting for that product, then get a list of ALL users whose access to that product has expired and apply the ‘Expiration Action’ to that user->product record in DAP users -> manage page.

The reason the DAP Cron checks the current time and runs the ‘expiration job’ only once a day is because running it too often will burden your server/resources as this job needs to pick up all products and then apply the cancellation rule to all users whose access has expired.

The main thing is to make sure it only runs once.. does not matter if that’s between 10 – 11 or 11 – 12 etc. We just picked the time to be between 10 – 11 PM (server time).

1) No Action

User’s access will auto-expire at the end of current recurring cycle. If the user re-signs, they will start from where they left off instead of starting over at day 1.
Infact this is how all older versions of dap already work.

If a user cancelled access to a subscription product before and say that the same user now wants to start back after a couple of months break.
If you have selected NO ACTION as this product’s expiration setting (in dap products page -> cancellation & expiration tab),
then when the user re-signs, they will start their dripping from where they left off and will not start fresh again from day 1.

Say a user’s access start date is 07/01/2014 and access end date is 07/30/2014, when the cron runs on 07/31/2012
and finds the user’s access has expired, it wont do anything.

If the same user re-signs for the same product on 08/30/2014 using the same email id, their access start date will be what it was before (07/01/2014) and their new access end date will simply be extended from what it was before. It will be set to previous access end date (07/30) + 30 days instead of new signup date (08/30) + 30 days. User’s access to product will remain expired. You will have to set post-expiry access to “Y” in dap setup->config page for access to ‘paid-for content’.

See this for more details: Cancellation

2) Remove From Product

If selected, dap will automatically find users whose access to this product has expired and remove user’s access to product completely for those users.
You will need this setting to prevent access for expired users. Users will completely lose access to product.
If these users signs up again, they will start over like a new member.

3) Set end date to previous day

To enable this option, you will have to first enter the following in /dap/dap-config.php file.

Please ftp to your site, find dap-config.php file, edit it and add this to your /dap/dap-config.php file:

Add it towards the top after php start tag (<?php) :

if(!defined(‘EXPIREACCESS’)) define(‘EXPIREACCESS’,’Y’);

IMPORTANT:  Replace all occurrences of backticks in the line above with single or double quote character.

Then upload back to your site (under dap folder).

We are forcing the dap-config.php setup in DAP 4.7 so users do not pick this option by mistake. We also want this feature to be BETA tested fully (in DAP 4.7) and then we will remove the extra steps (to add lines to the dap-config.php).(

After you set this in dap-config.php, this dropdown option will be available in the ‘expiration action’ dropdown.

If you pick this option for a product, then DAP CRON will automatically find a list of expired users (whose access has expired to this product) nightly and move the expired user’s access start and end day (set the access end date to the previous date).

When the cron wakes up and runs this job once once every night at 10:00 PM, it will move the user’s access start / end date forward in such a way that user’s access will remain expired but the access end date will not be stuck somewhere in past. It will be always set to the previous date (from current date).

Say a user’s access start date is 07/15/2014 and access end date is 08/15/2014.

When the cron runs on 08/16/2014 and finds the user’s access has expired, it will set the access end date to previous date.

So first time when the cron runs after the user’s access expires, nothing will happen. The access end date will remain 08/15 as it’s already set to previous date.

When cron runs on 8/17, it will move forward the the access start and access end window, so the new access start date will be 07/16 (moved forward by 1 day) and end date will be 8/16 (moved forward by 1 day).

This way the user’s access is still expired (as it’s always set to previous date) but the access dates are not stuck in the past.

If they re-sign, when DAP extends access, the access end date will be in the future instead of being expired.

If the cancelled user re-signs, the user’s access will not remain expired as their access will be extended from the current access end date to a date in future and the dripping will continue from where they left off.

IMPORTANT:  ADDITIONAL INFORMATION

1)  EXPIRATION: SET ACCESS TO PREVIOUS DATE

We recommend that you enable this option ON a test product first. DO NOT use this option on an actual live product. Add a few test users to the test product. Move their access start/end date manually to a date in the past .Make a note of it. Enable the admin option to ‘move date to previous date’ for this product. Then run the cron manually. Go back to dap manage users page and check the new access start / end dates for these users. If all looks good, then use it for live products.

2) CRON JOB:

The dap cron (dap-cron.php) runs once every hour at the top of the hour… but it will only do the expiration job between 10- 11 PM (server time). The expiration part of the cron only executes once a day.

To force run the cron, run this command in a browser (dont run cron too close to the top of the hour as it will collide with the normal running of cron ).

http://yoursite.com/dap/dap-cron.php?forcerun=Y (replace yoursite.com with the name of your site)

 

4

How To Test Member Access

We do NOT recommend testing what your regular member’s user-experience, while you are logged in as DAP/WP Admin.

Being logged in as DAP Admin and WP admin gives you certain privileges that your regular user/member won’t have. So you may see things that your members won’t be seeing. Or you may not see things that a regular user would normally see.

Either way, you may not be seeing what you’re supposed to see when you mix user testing with admin privileges.

So we recommend that you use two completely different browsers for testing: say, Chrome (or your primary browser) for WP & DAP Admin, and Firefox (or other) for logging in as regular user.

That way, you won’t have to keep logging in and out of DAP and or WP to test as both admin and user.

Keep them both separate.

If you are wondering how can the DAP Admin actually login as a member to see what they’re seeing – a critical feature during initial testing as well as troubleshooting a live site when a member says they’re having trouble accessing certain content, then continue reading.

You can use our “Login As Member” feature, where the DAP Admin would go to http://YourSite.com/dap/loginAs.php.

This page will present 3 form fields:
1) Email id of member you wish to log in as.
2) DAP Admin Email
3) DAP Admin Password

If you do not know what your DAP admin email / password is, you can click on your admin name in DAP Admin -> Users-> Manage page and update your admin password. The DAP Admin password is NOT the same as your WP admin password.

Once DAP verifies that it is indeed the DAP Admin trying to log in as someone else, DAP will log you into the site as that member whose email id you entered in (1) above.

NOTE: The Login As Member (LAM) feature does NOT mean that you can use just one browser to log in as both DAP Admin and regular member. You still need to use two separate browsers – one for DAP admin (like Chrome) another for regular member (Firefox). All LAM does is give you a workaround for logging in as someone else, because starting 4.4.x, the DAP Admin can no longer see what the member’s password is in order to log in as them.

8

Dripping Content

Once you have protected content by adding it from left-to-right on the “ContentResponder” tab of the Products > Manage page, you can set the dripping day/date and link display text and other drip options, by launching the “Drip Settings” popup (see “1” below) by clicking on the “Edit” icon next to the content you wish to drip.

By default, when you add any content (WP page/post or file), it is set to drip on day #1 by default. Which effectively means “no dripping” – and that the content is available to the member from day 1 of their purchase/signup.

 

1. Shows the “Edit” icon on the “ContentResponder” tab, and clicking it will bring up the “Drip Settings” popup (that shows 2, 3 & 4).

2. On the drip settings popup, the “Link Text” refers to the display text of the link that will be shown to the member on the “My Content” page.

3. If you wish to protect a link, but just NOT show it in the list of links on the “My Content” page, then set this to “No”.

4. Drip Settings: In DAP, you can drip content by Day, Date or restrict access by # of Clicks. You can only choose one method (eg., you cannot drip by day and date at the same time).

 

Protecting Draft Content

Now, normally, links to pages or posts show up in the left-hand side of the ContentResponder tab of the DAP Product only after they’ve been published.

But sometimes, for whatever reason, you may wish to protect pages or posts even before they are published – like in a “Draft” or “Pending Review” status. So here’s what you do.

As soon as you first create a new post or page, and tab out of the title field, and even before you save the post as a draft, or publish it, WordPress will create and display the permalink for that post/page, based on the text in your title.

So, if your page title is “Protecting Draft Pages”, then the default permalink will take on the structure http://YourSite.com/protecting-draft-pages – basically a lower-case version of the title, with hyphens separating the words. Like this…

You can then copy that entire permalink from where it is displayed, go to the DAP Product’s ContentResponder section, scroll down to the section that says “Protect a URL”, and then paste the entire permalink there (http://YourSite.com/protecting-draft-pages), and click “Add URL”.

That will protect this page or post in advance of it being published.

4

Group Memberships And Sub-Accounts

So you want to use DAP to sell group memberships or sub-accounts.

Eg. 1) A group membership – or multi-user account – that a School/College/Teacher can buy on behalf of their students. It’s either a one-time product, or could be a subscription product. In that case, buyer keeps paying monthly, and when they stop paying, all sub-users (child accounts) get disabled.

Eg. 2) Company A pays $X for up to 20 of its employees to have individual memberships. To begin with, the money is collected in one lump sum and DAP grants 20 memberships. Then each month Company A pays the Corporate/Umbrella/Bulk Membership and DAP gives credit to the individual memberships. If Company A fails to pay, all the “sub” members underneath lose access.

How To Implement Group/Bulk Memberships

DAP doesn’t directly support sub-memberships or sub-accounts yet. We already have this on our humongous to-do list :-). And we definitely plan on implementing it soon. But for now, here’s a work-around for making this happen. It’s fairly simple, yet it is manual, and cannot be automated yet.

  1. You would set up a One-Time product in DAP called, say, “20-Seat Membership“. If you wish to sell different quantities of “seats” or “licenses”, then you have to create as many products (like “5 Seats”, “10 seats”, “50 seats”, etc).
  2. In the welcome email, you would instruct buyer to email you a CSV file with 20 (or as many as your product allows) names and email id’s, one per line, in this format (EMAIL,FIRST,LAST):student@gmail.com,John,Student
    another@yahoo,com,Jill,Freshman


    member20@yahoo,com,Joe,Senior
  3. And then, using DAP’s bulk-import feature, in one fell-swoop, you can add all 20/50/100 to your membership site and give them all their own accounts, usernames and passwords, that they can all use to independently log in to your web site.
  4. If you see Step 1 above, we advised to make this a One-Time product. The reason for that, is you give life-time access first, and if they stop paying, then you cancel manually. So if the main buyer stops paying the subscription, this is the only time you will have some manual work hunting searching for those 20/50/100 email id’s on the Users > Manage page, and then clicking on “Remove” on their user row, so that they completely lose access.

Until we include this feature in DAP and make it automated, there are two ways to look at this.

One: You could say, it’s too much work to remove 20/50 emails when the main buyer cancels. OR…

Two: Since this is a group membership, you are hopefully charging them a good fee for this (if not, then you certainly should!). So you can always hire someone for $5 or $10 per hour on Odesk and have them do the removal of those email id’s. Removing 50 email id’s would take about 20 minutes at most. And you would need to do this only when they cancel, which can happen only once per group membership.

So hope that helps give you some ideas.

Hope this makes sense.

OptimizePress Issues

1) OptimizePress 1.x CSS Issue

Problem

You try to visit a protected page that you’re not eligible to view, and see an ugly page full of un-formatted links

Solution

  • Create a custom error page in WP – like http://YourSite.com/error/
  • When creating the above page, select the OptimizePress template “DAP Error Page”
  • In the body of that error page, enter something like this:
    Sorry, you do not have access to this content.
    If you are already a member, click here to login.
    If you are not a member yet, then click here to get access.
  • In the above example, link the text “click here to login” to your stand-alone DAP login page (eg., http://YourSite.com/login/). And link the “get access” text to your sales page.
  • Then take this error page’s URL – which is http://YourSite.com/error/ – and enter it into the “Error Page URL” field of all DAP Products.
  • Also enter this same URL into DAP Admin > Setup > Config > “Error Page URL (Global)”.

Save, and that will no longer display the ugly error page going forward. Instead, it will redirect the user to the above custom error page.

2) OptimizePress 2.x Content Protection Issue

Problem

You try to visit a protected page that you’re not eligible to view, yet you are still able to see all of the content. Or the page appears messed up with missing menu items or formatting issues.

Solution

  • Make sure “Sneak-Peek” is turned OFF – it won’t work with OptimizePress 1.x or 2.x.
  • Follow all of the same steps from Problem 1 and create a custom error page.
2

Download Protection: Fact & Fiction

FACT: Anything that you put out on the web, can be downloaded – one way or the other.

FACT: People who are out to steal stuff, will steal it no matter what.

FACT: By taking security too far, you will only annoy and irritate 99% of your members who have absolutely no intention of ripping you off or stealing your content in any way.

DAP provides built-in security for files and video and just about any other type of file extension – like .pdf, .zip, .doc, etc. DAP will make sure that even if the URL to the actual file gets passed around, the person trying to access the file will have to log in first before they can access the content. So your content is safe from un-authorized users, with DAP protecting it.

However, what about a valid, paying member? When they get access to a protected PDF or .zip or even a video, can DAP prevent them from downloading the file to their desktop? If a paying member who has legitimate access to a PDF file, can download the PDF to their desktop, can they not then turn around and upload it to their own web site, or send it as an attachment via email to their friends? Is there any way to make files not downloadable at all?

Sure they can. But trying to build a Fort Knox around your content, is not really the best thing for your members.

Taking Security Too Far

Like we mentioned above, anything that’s out there on the web, can be duplicated, copied, downloaded – in one way or the other. Nothing is 100% secure.

  • You could use “Streaming Only” technology to make sure even legitimate, paying members cannot download videos from your member’s area. But guess what? There are screen-capture tools – even free ones – that can be used to rip your video, and convert it into a file that can then be passed around on pirate sites. So preventing download of videos would only result in upsetting your legitimate members, because people like to watch videos even when they’re away from their computer – like on their ipad when sitting on a bed or a couch. Making everything “streaming only” means that they must be online and logged in to your member’s area every single time to watch your videos. Not a good thing for your members. You want to upset 99% of your members just to prevent that 1% who may (or may not) steal your content?
  • PDF’s can’t really be prevented from being downloaded. Once the PDF reader opens a PDF file, even if it’s by clicking on a link on your web site, it means it’s already downloaded on to the computer in some kind of a “temp” folder. So it has already left your web site and landed on the user’s computer. Nothing much you can do from there. Sure, you could make your PDF’s password protected, but they can pass on the password too to others. You could make your PDF files so that they cannot be copy/pasted, or cannot be printed. But guess what? There are tools out there that will break any kind of encryption or restriction you put on your PDF files, within seconds. And those who want to actually steal your content, also know what those tools are and how to use them.

So can your content be “too secure”? Absolutely. You can make it too hard for 99% of your legitimate members, just to prevent the 1% from stealing it (but they’re going to find a way to steal anyway). What’s the point, really? Those who want to steal, know how to pick your lock. So why make it harder for your real members?

Can people pass on their username/password to their friends to log in to your member’s area? Sure. But DAP will lock their account from further access, if it detects an account getting logins from more than, say “5” (or whatever you set as admin) IP addresses.

Can people download your videos from your site after getting legit access to it, using screen-capture tools, then re-upload to a torrent or black-hate site? Sure, they can.

Can people break your “password-lock”, “print-lock” or any other kind of restriction you place on your PDF files, within seconds? Sure, they can.

No, your content can never be 100% secure. Any one who tells you so, is either lying, or doesn’t have a clue.

Your only goal should be to make it hard for the “casual” abusers, that’s all. Not to make it so hard that even your legitimate members have to jump through hoops to get to it.

The best membership sites we have seen, provide access to their content in multiple formats.

Do you publish video content? Then right below the video, also give them a link to “download” the video and “watch it at their leisure”, publish an “Audio Version” in .mp3 format, publish a “PDF Transcript” of everything said in the video, so they can even “read” the content from your video.

Is your content mostly text? Then offer a PDF version of your blog post or page, so they can download it, print it, and read it offline. Or make a “Read Aloud” version of your blog post and offer it as a .mp3 file, so they can “listen” to your content while at the gym, or while going for a walk, or while driving in their car.

Bottom-line: Don’t worry about the 1% who will never pay you, probably will steal your content, and pass it on to others one way or the other. Just focus on creating great value for the 99% of your paying members who pay you, support you, promote you, and keep coming back month after month after month. And that’s the best use of your time and resources, and that’s the only way to build a successful membership site.

5

Customizing vBulletin Login For Single-Signon

Here’s what you need to do to disable the standard vB login form at the top-right corner of your forum pages, and customize it so that you force your members to log in via the DAP login form, so that they’re logged in to your membership site as well as DAP.

  1. Log in to VB Admin control panel at http://yoursite.com/forums/admincp/
  2. Go to Styles & Templates > Style Manager > Default (or whatever style you’re currently using)
  3. From the big list on the left, select the “header” template. Then on the right, under the “Controls” section, click on Edit
  4. On the resulting page, copy the full code from this text file and paste into the main “Template” body, and click on “Save”
  5. Next, download the file forums/register.php from your server, to your desktop and save the original copy somewhere safe.
  6. Replace the contents of that file with the contents of this text file.

That’s it!

12

Upgrading or Downgrading of Subscriptions

There are two main items that need to be addressed when it comes to a member wanting to Upgrade or Downgrade their Subscription from one membership “level” (a.k.a “Product” in DAP) to another.

1) Modifying the actual recurring payments to reflect the new amount

2) Giving them appropriate access as per the upgrade (or downgrade)

So let’s see how both of these are accomplished.

1) Modifying Recurring Payments

You do need to take some manual action for this. The way to do it is….

  • Ask your members to sign up for the new product/level/subscription separately, like it were a new sign up
  • Cancel their old subscription manually. When using Paypal standard, this can be done by both you (as the admin) and the member themselves. But with all of the other payment solutions, you (the admin) will have to log in to the payment gateway (Authorize.net or Paypal Website Payments Pro) and manually delete the member’s old subscription). DAP will not automatically remove users old subscription profile in your payment gateway.

2) Giving your member access to new level

Set up automation rules using DAP’s Product Chaining feature, so that if they sign up for one Product (or “level”), they’re automatically removed from another Product (or level).

So if they are currently signed up to your “Gold Membership”, then when they sign up afresh for the “Platinum Membership”, then set up a Product Chaining rule that says, “If member signs up for Platinum Membership, then remove them from Gold Membership”. This is just to make sure that they don’t have access to two products (or “levels”) at the same time.