+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: How to block URL access to the controller (/showthread.php?tid=58150)
How to block URL access to the controller - El Forum - 05-20-2013
[eluser]flacznik[/eluser]
Hi, I developed a small application in CI that works well… Codeigniter is my first framework that I use that is why I think following question: my default_controller is named “site” where I placed all the functions that are linked to the basic buttons on the site to view the pages etc. What about all the other controllers? – I mean all the classes that handle some special functionalities like user authentication – these controllers are accessible via URL. It means that any user can access any public function of my application. As there are some functions that I can’t declare as protected/private (because of ajax call for example) how can I protect them? Thank you for advice? PS: BASEPATH at the top of the controller doesnt change anything and the classes functions are still accessible via URL
Example:
http://www.my_site.com/site/index.html - ok
http://www.my_site.com/site/authentificate/validate - run public function of form validation! how to prevent it?
How to block URL access to the controller - El Forum - 05-21-2013
[eluser]Eduard Stankovic[/eluser]
could you post some of code here ... i think your application is not designed well...
How to block URL access to the controller - El Forum - 05-21-2013
[eluser]CroNiX[/eluser]
http://ellislab.com/codeigniter/user-guide/general/controllers.html#private
How to block URL access to the controller - El Forum - 05-21-2013
[eluser]flacznik[/eluser]
So for example the validate function is called by AJAX and if I am right it has to be declared as public otherwise there will be no URI access possible. That is why I use $this->input->is_ajax_request() to check if call is done by AJAX. (the same thing regarding dashboard function where AJAX redirect the user to secure page):
Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Login extends CI_Controller {
public function __construct(){
parent::__construct();
}
public function validate(){
if (!$this->input->is_ajax_request()) {...}
}
private function check_database(){
}
private function logout(){
}
public function dashboard(){
$this->load->view('secure_header');
$this->load->view('secure_contentt');
$this->load->view('secure_footer');
}
}How to block URL access to the controller - El Forum - 05-21-2013
[eluser]alexwenzel[/eluser]
Well designed or not. One thing you can do is disable automatic routing. Maybe this post helps you. http://codeigniter-blog.de/118/disable-automatic-uri-routing/
How to block URL access to the controller - El Forum - 05-21-2013
[eluser]flacznik[/eluser]
Maybe the best idea is just to put the following code inside the controllers folder:
Code:
<Files ~ "\.(htaccess|php)$">
order allow,deny
deny from all
</Files>like that we can be sure that the controller can be reached only by application CI. What do you think??