Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Model-View-Controller Are views safe to have other people editing them?
Are views safe to have other people editing them?
  • Offline sjender
    Member
  • ***
  • Posts: 73
    Threads: 34
    Joined: Oct 2020
    Reputation: 2
#1
12-21-2021, 06:44 AM

Hi All,
I'm working on a project in CI, where there might be other people creating and editing views.
I will restrict FTP access so they only can access the views.
But...
Will they be able to run DB queries?
Or will they be able to view config files or other code besides the views?
I can image for example, that they can run a directory list on the config folder for example and retrieve the DB password.
Is that even possible within CI?
I don't know who will be editing the views, but given the projects' details, it can be anyone.... trusted or untrusted.
Reply
  • Offline php_rocs
    Administrator
  • *******
  • Posts: 1,392
    Threads: 79
    Joined: Jun 2016
    Reputation: 72
#2
12-21-2021, 07:22 AM

@sjender , Have you considered using gitlab/github? This will allow you to track who is doing what. Also, you might want to consider creating a development environment so that when they do submit their code it will work properly. Just my suggestion.
Reply
  • Offline sjender
    Member
  • ***
  • Posts: 73
    Threads: 34
    Joined: Oct 2020
    Reputation: 2
#3
12-21-2021, 09:53 AM

Hi. I am using gitlab.

But if this project gets of the ground, hundreds of frontenders can work within the same repo.

I actually saw someone posting a similar question.
The suggestion there was to create an API which handles the controllers and models.
And have the frontenders use another detached environment for their code.

This requires some rebuilding, but I think it's the safest way, don't you think?
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,251
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#4
12-21-2021, 04:06 PM

CodeIgniter's default view is pure PHP file.
So you can write arbitrary PHP code in it.

> Will they be able to run DB queries?

Yes.

> Or will they be able to view config files or other code besides the views?

Yes.

> I can image for example, that they can run a directory list on the config folder for example and retrieve the DB password.
> Is that even possible within CI?

Yes.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
  • Offline yahyaerturan
    Junior Member
  • **
  • Posts: 15
    Threads: 3
    Joined: Mar 2018
    Reputation: 1
#5
12-26-2021, 05:37 AM
(This post was last modified: 12-26-2021, 05:40 AM by yahyaerturan.)

I have encountered a similar concern on our new CMF, written in CI4.

I have ended with creating FetchApi class to query tiers (every resource act like as a tier).

- API endpoints use this FetchApi with allowed fields and criterias.
- AdminControllers use this FetchApi with allowed fields and criterias.
- View files can access to $fetchApi object and can query any resource with API manner.

It's a lot of work but it decouples backoffice itself, api, frontend all together.

However, you are still on PHP. So yes almost all CI can be retrieved. But in views if you use Twig templates and not allow php inside, it might be the solution
Reply




Theme © iAndrew 2016 - Forum software by © MyBB