Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Keeping People from Accessing Controller Methods
Keeping People from Accessing Controller Methods
  • El Forum
    Guest
  •  
#1
01-23-2011, 01:01 PM

[eluser]cornofstarch[/eluser]
Hello,

I'm trying to figure out how Pyro keeps people from accessing controller methods. For example, if I go to http://localhost/admin/approved, I get a "Page Missing" even though the method isn't protected or private and I'm logged in as admin. I can't find the reroute in routes.php, the hooks don't have anything to do with the routing, there isn't any remapping in the class... how is it done?
  • El Forum
    Guest
  •  
#2
01-23-2011, 01:36 PM

[eluser]bl00dshooter[/eluser]
http://ellislab.com/codeigniter/user-gui...ml#private

I'm not sure if it's the way Pyro does, but it works.

For further information on pyro, try posting on pyrocms forum or twitting Phil sturgeon.
  • El Forum
    Guest
  •  
#3
01-23-2011, 02:16 PM

[eluser]cornofstarch[/eluser]
I don't want to make the method private as it will create a whole new set of problems down the road.

To clarify, I've read the slew of forum posts where people have the same problem. I don't want to make the method private, protected or private from CI's view using the underscore. I don't want to route everything with catchall (:any), I don't need to separate the methods from logged in or not logged in views with a Public_Controller or an Admin_Controller of my own. I'm not using POST for every method nor do I want to check POST for every method.

Is the only other way of controlling access is to use htaccess? This is Pyro's htaccess and I haven't a clue as to what it does:

Code:
<IfModule mod_rewrite.c>

    # Make sure directory listing is disabled
    Options +FollowSymLinks -Indexes
    RewriteEngine on

    # Keep people out of codeigniter directory and Git/Mercurial data
    RedirectMatch 403 ^/(system\/pyrocms\/cache|system\/codeigniter|\.git|\.hg).*$

    # Send request via index.php (again, not if its a real file or folder)
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    <IfModule mod_php5.c>
        RewriteRule ^(.*)$ index.php/$1 [L]
    </IfModule>

    <IfModule !mod_php5.c>
        RewriteRule ^(.*)$ index.php?/$1 [L]
    </IfModule>

</IfModule>

I know it's probably better to ask on Pyro forums but sadly, it appears to be a dead or dying forum. Maybe everyone is on IRC...
  • El Forum
    Guest
  •  
#4
01-23-2011, 07:12 PM

[eluser]cornofstarch[/eluser]
It's not the htaccess either as everything runs through index.php.
  • El Forum
    Guest
  •  
#5
01-24-2011, 01:20 AM

[eluser]InsiteFX[/eluser]
PyroCMS uses ION Auth which has a controller restrict method.

You could just write your own controller restrict method
and restrict the controller method that you want.

InsiteFX
  • El Forum
    Guest
  •  
#6
01-24-2011, 02:41 AM

[eluser]cornofstarch[/eluser]
I think I figured it out. Phil doesn't use the ION Auth controller restrict method in all the methods. I wasted a whole weekend to figure this out instead of building what I need for work... wish these things were put into a neat little manual >.< But in the spirit of sharing coding discoveries, here's hoping that this will help someone else with the same questions I had.

Pyro has a few things...

.htaccess which redirects everything to index.php unless the actual file or folder exists.

In config/routes.php, Pyro redirects both the default controller and 404 errors to pages.php. Among other things, pages.php basically does a remap of the uri to whatever you want it to. For example, if you need to pull /about, then it will search the database for an about page. If it exists, then it redirects. If you need to use a module of some kind, then after jumping through different checks and hoops, you may or may not be served the module.

But let's say you're a curious person who just wants to access the comments controller just for the fun of it. By default, the uri passed is index if the method doesn't exist in the controller (try printing $method from the example in the manual and not have the actual method in your controller). But in the comments controller, Pyro wouldn't have an index method. So, you'll never be able to load localhost/comments. Also, the other important methods are privatized using the underscore.

There are some controllers where Pyro will extend a custom Admin_Controller or a Public_Controller found in /core. Let's say a particular controller extends Admin_Controller. Then before the controller is loaded, all the security checks are performed to see if the user has access to the controller. If not, the user is redirected appropriately.

Occasionally, Pyro needs to restrict certain methods (even if it's been privatized with the underscore) and will use ION Auth's authentication methods for added security.

I think I got it... I hope...




Theme © iAndrew 2016 - Forum software by © MyBB