Welcome Guest, Not a member yet? Register   Sign In
path to localhost
#1

I'm working on some code to reset a password. The user can send an email to himself:

"Dear rich, 
Recently a request was submitted to reset a password for your account. If this was a mistake, just ignore this email and nothing will happen (the request will expire in 24 hours). 
To reset your password, visit the following link: localhost/application/views/users/resetPassword.php?fp_code=74c9e4b9e40339299b32ef7a7206eae5 

Regards, 
R&D Substantiator"


The problem is that when the user goes into their email and clicks on the link above, they get a 403 error. I was able to get around this by placing the resetPassword.php file in my document root. But I don't think that this is a good solution because the resetPassword.php file needs to a) open the database b) check that the fp_code is good c) update the password. All of these need to be done within my application directory (I think). My question is:

Where do I locate the restPassword file so it can be accessed by a remote user. Note: I will also need to put this whole thing up on my hoster's server where localhost won't work. This might be a 2nd question? 
proof that an old dog can learn new tricks
Reply
#2

@richb201?

Is the resetPassword.php controller/page protected for logged in users only?
Reply
#3

rocs, I hope so. How would I check and if it is, how to unsecure it? As I think I said this will evenutually go up on my hoster.
proof that an old dog can learn new tricks
Reply
#4

Hello!
I think you have a 403 error because your link points directly to a view.
I strongly advise against it. In the MVC architecture, requests must pass through the controller and it is up to your controller to call on your view.
In short, to answer your question, I think that your file, or rather the method of recovery of the password must be in the application / controllers folder
Simplicity is the ultimate sophistication
Reply
#5

@richb201,

Can we see the code in the controller?
Reply
#6

So, it's clear that you've perhaps not quite understood how MVC works. You should never be directly requesting your views.

If you take the time to read this page, you'll know what you've done wrong:

https://www.codeigniter.com/userguide3/g...llers.html
Reply
#7

(This post was last modified: 07-09-2018, 03:18 PM by richb201.)

brian, that is the way the code came (from Codexworld). I would never have written it that way. My own application sticks very closely to MVC. But I'll take  some time to read that page.
proof that an old dog can learn new tricks
Reply
#8

(This post was last modified: 07-09-2018, 07:07 PM by richb201.)

Leboss, I totally agree. But the code came as is. I am just trying to get it to work. Is it  the best code? No not really. It is pretty simple though and I thought that would make it easier to work with. And it has, honestly. I know very little about security (or programming as some up here will attest to). I have managed to get an email sent to the user's email address with a link back to my application. When they click on the link, it seems that they can only access modules that are outside my Application path but in my "document root". This would be OK, except I need the user to be able to enter a new password, and I am concerned about it being outside the path of the Application. I don't have a great understanding of htaccess. Does this make me a bad person? No just a pragmatic one. 

I'd like to let the user clicking on the link in the email get directly into the file that is sitting in my Views directory. Ugh! If this is a security issue, well, I will deal with it. How do I path from the link in the users email to my  views directory. The answer may be that since I am developing on Localhost that is impossible. Just let me know that.
proof that an old dog can learn new tricks
Reply
#9

(07-09-2018, 02:53 PM)richb201 Wrote: brian, that is the way the code came (from Codexworld). I would never have written it that way. My own application sticks very closely to MVC. But I'll take  some time to read that page.

To simplify things, if you just add the contents of those files to 2 controller methods, you'd be able to set the request URLs to those methods, and assuming you don't have any other issues, you'd be done.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB