![]() |
(03-25-2022, 09:10 PM)kenjis Wrote:(03-25-2022, 08:08 PM)ChicagoPhil Wrote: My plan was to get the user status in the base controller constructor and then execute a permissions check in each method by default. That would avoid the pitfalls of using filters or auto routing? That's helpful information right there. That might have slipped by me. I am getting a message that the getMethod method is deprecated but I just made up a method to run a check. Good deal! Thanks again. (03-26-2022, 12:16 AM)ChicagoPhil Wrote: I am getting a message that the getMethod method is deprecated but I just made up a method to run a check. The getMethod() is not deprecated. The $upper functionality is deprecated. See https://github.com/codeigniter4/CodeIgni...st.php#L89
Thank you to everyone who submitted comments.
The PR was merged into the develop branch. Since v4.2.0, the auto-routing is disabled by default. (03-25-2022, 04:15 AM)kenjis Wrote: Auto routing is very dangerous, because it is very difficult to know all routes for human beings. That sounds like a problem with the tutorials rather than an inherent problem with CodeIgniter. I don't like defining tons of routes, and much prefer to use autorouting, and frequently make use of the _remap function because it's quite useful when one is tweaking urls for SEO. If you have a controller and all of its methods should require some level of authentication, you can make a special AdminController whose init or constructor checks to make sure the user is authorized. If you have one or two methods in a controller that require authentication, it's quite easy to define an authentication-checking fn in your own base controller and expressly call it in any method that needs it. I'd very much like to know more about how autorouting introduces security problems. Can anyone give more detail rather than simply linking a tutorial that has a security hole? (03-25-2022, 04:44 PM)kenjis Wrote: @ChicagoPhil Okay, Good question. This seems like a problem with using filters to enforce authentication rather than an autorouting problem. Just enforce the authentication in the controller or the method.
@sneakyimp If you never use controller filters, there is no risk.
probably there are few risks. But if you use CI4's CSRF protection, you are using controller filters. See https://blog-a--way--out-net.translate.g...r_pto=wapp |
Welcome Guest, Not a member yet? Register Sign In |