Welcome Guest, Not a member yet? Register   Sign In
How to block URL access to the controller
#1

[eluser]flacznik[/eluser]
Hi, I developed a small application in CI that works well… Codeigniter is my first framework that I use that is why I think following question: my default_controller is named “site” where I placed all the functions that are linked to the basic buttons on the site to view the pages etc. What about all the other controllers? – I mean all the classes that handle some special functionalities like user authentication – these controllers are accessible via URL. It means that any user can access any public function of my application. As there are some functions that I can’t declare as protected/private (because of ajax call for example) how can I protect them? Thank you for advice? PS: BASEPATH at the top of the controller doesnt change anything and the classes functions are still accessible via URL Sad

Example:

http://www.my_site.com/site/index.html - ok

http://www.my_site.com/site/authentificate/validate - run public function of form validation! how to prevent it?
#2

[eluser]Eduard Stankovic[/eluser]
could you post some of code here ... i think your application is not designed well...

#3

[eluser]CroNiX[/eluser]
http://ellislab.com/codeigniter/user-gui...ml#private
#4

[eluser]flacznik[/eluser]
So for example the validate function is called by AJAX and if I am right it has to be declared as public otherwise there will be no URI access possible. That is why I use $this->input->is_ajax_request() to check if call is done by AJAX. (the same thing regarding dashboard function where AJAX redirect the user to secure page):

Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Login extends CI_Controller {

public function __construct(){
     parent::__construct();
}

public function validate(){
  if (!$this->input->is_ajax_request()) {...}
}


private function check_database(){

}
  
private function logout(){
      
}


public function dashboard(){
   $this->load->view('secure_header');
   $this->load->view('secure_contentt');
   $this->load->view('secure_footer');
  }
}
#5

[eluser]alexwenzel[/eluser]
Well designed or not. One thing you can do is disable automatic routing. Maybe this post helps you. http://codeigniter-blog.de/118/disable-a...i-routing/
#6

[eluser]flacznik[/eluser]
Maybe the best idea is just to put the following code inside the controllers folder:

Code:
<Files ~ "\.(htaccess|php)$">
order allow,deny
deny from all
</Files>

like that we can be sure that the controller can be reached only by application CI. What do you think??




Theme © iAndrew 2016 - Forum software by © MyBB