+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: Tank Auth with .htpasswd (/showthread.php?tid=43955)
Tank Auth with .htpasswd - El Forum - 07-28-2011
[eluser]ScrewLoose[/eluser]
Hi there. Let me start out by saying that Tank Auth works amazingly, my question is surely a matter of just being a novice. I currently have Tank Auth setup so my clients can login and it will redirect them to their view which requires a user to be logged on. Their secret files however, are all grouped in a main client folder outside codeigniter (css, .js, and images) which anyone with half a brain could easily get to, and I don't want to force the user to login twice, once through TankAuth and another through .htpasswd. I would like to allow access to these files only if the user has logged in, is there anyway to do this with .htpasswd? I can't figure it out. Have any suggestions that may guide me in the right direction?
Tank Auth with .htpasswd - El Forum - 08-02-2011
[eluser]ranjudsokomora[/eluser]
Hello ScrewLoose,
If you start off your scripts (views, controllers, models) with this, you should be okay.:
Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');There is no reason for .htpasswd files. If all of your users are forced to go through your CodeIgniter installation, then Tank auth should see they, are or aren't authenticated and take proper action.
Tank Auth with .htpasswd - El Forum - 08-03-2011
[eluser]ScrewLoose[/eluser]
Hey thanks for the advice
I currently do have an index.php block file in my directories to keep people from peeping into the directory. However, my current issue is regarding user specific directories, where a user logs in and sees a completely different setup (i.e. - webroot/safe/user1/images, webroot/safe/user1/css, etc.) which means they can be accessed at anytime, so long as someone knows the url...Their views remain gaurded by Tank_Auth. I was wondering how I'd be able to change it so it would be able to check if someone was logged in before gaining access to a directory. It's my understanding that my assets should not be placed within the applications folder, and my application and system folders exist outside of the webroot. I was thinking I'll have to switch over to BLOBs in MYSQL and call the data from their controller. Any thoughts?