Hi,
Maybe I'm not getting it. But if I try to 'protect' an – let's say – adminController using filters, I seem to face a 'hole' in applying them.
If I have:
Code:
$routes->setDefaultController('Admin');
$routes->setDefaultMethod('index');
$routes->get('/', 'Admin::index'); // This is the default route pointing to the admin controller
$routes->add('admin', 'Admin::index', ['filter' => 'admin-auth']);
Now, it seems kind of 'odd' that I HAVE to protect the controller through setting a filter in the route ... what if I 'forget' to do so (as illustrated in the case above for the '/' route)? Then I'm vulnerable …
Back in the old days (CI3), I would create an AdminController, implement authorization in the constructor and extend that. I know I can do this today in CI4 as well (apart from this parent::initController thing which 'act's like a constructor confusing the crap out of me – why not simply use __construct?), BUT why is it that we're 'supposed' to use filters for that exact case (according to the docs), as I see it as not being as 'bullet proof' using filters vs implementing it directly in the controller.
Maybe someone can shed some light on the decisions behind this 'approach' ... or maybe share some 'clever' way of achieving this in the best and most portable (reusable) way possible?
