Prevent direct access to views

[eluser]reikje[/eluser]
I am having some issues securing my first codeigniter site. Even though I am using rewriting in a .htaccess file to get rid of the index.php segment in URL's, I can still access my php files in the views folder.

Here is my setup:

/etc/apache2/sites-available/the_site

Code:

<VirtualHost *:80>
        ServerName www.domain.de

        DocumentRoot /var/www/igniter
        <Directory /var/www/igniter>
                Options Indexes FollowSymLinks
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /var/log/apache2/error.log
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
</VirtualHost>

.htaccess file in /var/www/igniter

Code:

<IfModule mod_rewrite.c>
        #AddType x-mapp-php5 .php
        Options -Indexes

        RewriteEngine on

        RewriteCond $1 !^(index\.php|images|css|js|robots\.txt|sitemap\.xml|favicon\.ico)
        RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>

<IfModule !mod_rewrite.c>
    ErrorDocument 404 /index.php
</IfModule>

routes.php

Code:

$route['default_controller'] = "page";
$route['impressum'] = "impressum";
$route['ratgeber/(:any)'] = "ratgeber";
$route['scaffolding_trigger'] = "";

part of my config.php

Code:

$config['base_url'] = "/";
$config['index_page'] = "";
$config['uri_protocol']    = "REQUEST_URI";
$config['url_suffix'] = "";

Why can I still call directly to http://www.domain.de/system/application/...e_view.php ?

[eluser]Christophe28[/eluser]
I use nGinx so I'm not familiar with Apache, but if you want users to not be able to access views, controllers, models, or whatever there is in your public folder, just move it out of the public folder except the index.php

So the server path to your system folder will be something like this:
System: /var/www/site.com/system/
Public: /var/www/site.com/public/

Then in your index.php you have to change the path to your system and application folder like this:

Code:

$system_folder = "../system";
$application_folder = "../application";

My application folder is not in my system folder, otherwise it will be something like this:

Code:

$system_folder = "../system";
$application_folder = "../system/application";

Best,
Christophe

[eluser]Bart Mebane[/eluser]
If your host allows it, the simplest and most secure approach is to move your system folder above the document root (public html) folder. This Wiki article gives step-by-step instructions.

[eluser]reikje[/eluser]
So if I understand you correctly, this is the only way to prevent direct access?

[eluser]Christophe28[/eluser]
I don't know actually, I only used the method described above and would strongly recommend it.

[eluser]Bart Mebane[/eluser]
Another option is the approach used in the CI system files. Include this line at the top of every source file:

Code:

if ( ! defined('BASEPATH')) exit('No direct script access allowed');

The BASEPATH constant is defined in index.php. This statement thus allows pages to be accessed only through CI.

[eluser]danmontgomery[/eluser]
Significantly easier to just move system and application above webroot

[eluser]cereal[/eluser]
Put this .htaccess file in system » application » views:

Code:

<Files ~ "\.(htaccess|php)$">
order allow,deny
deny from all
</Files>

it's recursive, this way nobody can access directly to the views