Welcome Guest, Not a member yet? Register   Sign In
Security related to controller URL
#1

I have a URL for controller 

http://localhost/userTest/test
  

Now when i open the URL in the browser its not showing the forbidden page but the data coming from the Controller function. I need to restrict the same. Please let me know how to do it
Reply
#2

@ppuhan1389,

Can you post the code in the controller? Also, how are you implementing security in your application?
Reply
#3

If you place a _ (underscore) before the controller name it will make it private and not show in the browser
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#4

Hi Php_rocks

my controller code is 
function getQualDetailsHTML(){
$personId = $this->session->userdata('ADMIN_SESSION_PERSONID_VAR');
$qualDetails = $this->qualificationModel->getQualData($personId);
$output = '';

$output        = '<table class="table table-striped">
<thead>
<tr>
<th scope="col">#</th>
<th scope="col">Graduation Year</th>
<th scope="col">Institution Name</th>
<th scope="col">Course Name</th>
<th scope="col">Operation</th>
</tr>
</thead>
<tbody>';
for ($getDet =0; $getDet < count($qualDetails);$getDet++) {

$counter = $getDet+1;
$output = $output .'<tr><td scope="row">';
$output = $output . $counter .'</td><td>'.$qualDetails[$getDet]->PASS_YEAR;
$output = $output . '</td><td>'.$qualDetails[$getDet]->UNIVERTSITY_NAME;
$output = $output . '</td><td>'.$qualDetails[$getDet]->COURSE_NAME;
$output = $output . '</td><td><a href="#" class="fa fa-pencil"></a><a href="#" class="fa fa-times" onclick="deleteQual('.$qualDetails[$getDet]->QUALIFICATION_ID.')"></a></td></tr>';

}
$output = $output .'</tbody></table>';
$output = $output .'<div class="col-md-12 text-center"><button type="submit" id="addQualButton" class="btn btn-danger mb-10">Add Qualification</button></div>';

//echo $output1.$output.$output2.$output3;
echo $output;
}


in the view i have the code like 

<script>
function getQualDets() {
$.ajax({
url: "<?php echo base_url().'qualification';?>",
success: function(data) {
console.log(data);
$('#qualification-list').html(data);

},
dataType: "html"
});

};

</script>

In the config file of routes i have 

$route['qualification'] ='qualification/getQualDetailsHTML';


For security reasons i am currently thinking the check of the session variable ie if the session is set it will html else no html. But a problem is there that if the session is set and user copy pastes the url in a different window then the out from the controller will be shown .

Thanks
Reply
#5

(06-22-2018, 04:02 AM)InsiteFX Wrote: If you place a _ (underscore) before the controller name it will make it private and not show in the browser

Yes, but i donot wan't it to be Private, i just want something like if the url is put in the browser directly the access forbidden should be shown.

Thanks
Reply
#6

(06-22-2018, 04:02 AM)InsiteFX Wrote: If you place a _ (underscore) before the controller name it will make it private and not show in the browser

I think you mean to say "put an underscore before a controller method".

Using an underscore is a "legacy feature"  (read the note in this section of docs. The access modifiers `protected` or `private` should be used instead.

Is the OP is asking about an ACL system?
Reply
#7

(06-21-2018, 08:17 PM)php_rocs Wrote: @ppuhan1389,

Can you post the code in the controller? Also, how are you implementing security in your application?

i have posted the code below
Reply
#8

This might help

https://www.codeigniter.com/user_guide/g...ds#methods

As well as what the other poster said

https://www.codeigniter.com/user_guide/g...te-methods
Reply
#9

I'm not sure if it's the best pattern for CI 3 but I check for a login flag (boolean) in most of the controllers' constructors and redirect the user to a login page before loading anything else. If anyone can suggest a better way then I would be grateful.

Code:
<?php
defined('BASEPATH') OR exit('No direct script access allowed');

class Admin extends CI_Controller
{
    public function __construct()
    {
    parent::__construct();
        $this->load->library('session');
   
    // If the user is not logged in then get out of here!   
    if(!$this->session->login)
        {
            redirect('/user/index');
        }
     
        $this->load->model('admin_model');
        $this->load->model('another_model');
    }


    function some_other_method()
    {
    }
}

While we are here, I'll add this warning for anyone struggling with Stripe Checkout or similar payment providers. Please be aware that if you have a route set up as an endpoint for a POST response from some external service (e.g. a Stripe Checkout's success_url) this technique will return a 302 error to their API, so use an endpoint method in a different Controller that doesn't check the logged-in state.

Also, to get around the $_GET variable issues with Codeigniter, I specified my success_url as this:
Code:
'success_url' => 'https://example.com/success/{CHECKOUT_SESSION_ID}',

rather than the example in Stripe's excellent documentation:
Code:
'success_url' => 'https://example.com/success?session_id={CHECKOUT_SESSION_ID}',

and the following route works as a normal Codeigniter endpoint without having to play around with URL config settings or htaccess.
Code:
$route['success/(:any)'] = 'subscription/checkout_success/$1';

And finally, my checkout_success method looks like this:
Code:
function checkout_success($session_id)
{
  // Redirect to a Success page or
  // do something else with the $session_id
  // returned to you in the correctly formatted URL
  // you specified in the 'Create Request' code.
}

Have fun.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB