| view in restricted access folder with special htaccess does not prompt password. |
[eluser]vambavan[/eluser]
I am new to codeigniter and am facing an issue with creating a restricted views subfolder. I have the normal codeigniter htaccess at the CI root and I have some views that I want to restrict access to by using LDAP SSO password protection. So I have those views in a restricted/views under views folder subdirectory with another htaccess that prompts the user for user/password. I know the restricted/views htaccess works as I have tried it with some non codeigniter html and php scripts. However with codeigniter I can access the restricted views without any password prompt and the htaccess in the restricted/views folder seems to be getting ignored. I dont get any type of error when I try to access the restricted view. It gets displayed just like any other view. Using Codeigniter 2.1.3 running on linux Folder structure: webroot: .htaccess (root) index.php ci_app application views restricted views .htaccess restricted_view.php My root htaccess: RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ /index.php?$1 [L] Restricted folder htaccess: RewriteEngine Off AuthName "ABC: Login with LDAP credentials" AuthType Basic AuthBasicProvider "ldap" AuthLDAPURL ldap://ldap.company.com:389/o=company.com #require valid-user require ldap-group cn=GROUPNAME,ou=abcgroups,o=company.com
[eluser]TheFuzzy0ne[/eluser]
You should not be allowing direct access to anything in your application directory. You have all sorts of sensitive configuration options in there, and if, for some reason, PHP didn't parse the files, the server would serve them up as plain text. Ideally, your system and application directories should be outside of the Web root. I'm not sure if it would actually be a problem or not, but I don't believe the value for AuthBasicProvider should be in quotes. Also, do you have mod_authnz_ldap enabled on your server?
[eluser]vambavan[/eluser]
Thanks for the response. Couple of things to mention: 1. Its an internal website so please ignore where its placed for now i.e. web root. 2. the htaccess in the subdirectory works when files are accessed directly. It does prompt a password so there is nothing wrong with the file or the syntax in there. 3. I saw several posts in the forums that used to get 404 error but I dont. I am not sure why. They used this line: RewriteCond $1 !^(401.shtml) in their root htaccess to force the password prompt, but I dont get the 404 error they had and the line did ot work for me.
[eluser]vambavan[/eluser]
mod_authnz_ldap is enabled since it prompts me when I bypass index.php to access html or php files directly
[eluser]TheFuzzy0ne[/eluser]
Sorry, you've lost me... The thread is titled "view in restricted access folder with special htaccess does not prompt password." And then you said: Quote:the htaccess in the subdirectory works when files are accessed directly. It does prompt a password so there is nothing wrong with the file or the syntax in there. I'm not sure how you are not prompted for the password, and yet seem to be prompted for the password. Which is it? Either I'm missing something, or you haven't explained the problem.
[eluser]vambavan[/eluser]
Sorry if it was confusing. So directly accessing files like this : http://myhost/ci_app/application/views/r...d_view.php gives me the password prompt. However if I go through code igniter opening the page for me using the usual http://myhost/index.php?/controller/restricted_view I get to the same page but without a password prompt. Folder structure: \webroot: .htaccess (root) index.php \ci_app \application \views \restricted \views .htaccess restricted_view.php
[eluser]vambavan[/eluser]
When I run using the codeigniter framework I am using load->view to load the restricted_view.php. Not sure if thats where I need to make the change
[eluser]TheFuzzy0ne[/eluser]
OK, now that makes much more sense. .htaccess files are only read before the requested file. So the first .htaccess will work as expected, but after that, you're within the CI framework, and no further .htaccess files will be read. If you don't want a view/file to be accessible via your framework, then you need to code your app accordingly so it won't load it.
[eluser]vambavan[/eluser]
Any chance I can use it through the codeigniter framework and still get the subdirectory htaccess to be invoked? Thats really what I want to do. I am trying to convince my team to use codeigniter but if I cant get this working they think codeigniter is too rigid and may break away from it. We have an ldap company wide authentication in place and I just need to get it working where certain pages are only accessible to certain ldap users/groups. I was hoping if I created a restricted folder and put the views that needed authentication there with the appropriate htaccess it would work. 
[eluser]CroNiX[/eluser]
htaccess only works for direct WEB requests. If you are including a view, using php, that is in a directory restricted via htaccess it won't have any affect. That's why it prompts for the password when accessing directly. Your application should be taking care of who can see what once authenticated based on some sort of permissions. Not sure why you'd have to convince them that CI isn't rigid. This problem has nothing to do with codeigniter. Only apache and php. |
| Welcome Guest, Not a member yet? Register Sign In |
