In a previous post I listed "Unique point to check authorization" as @todo.
I will tell you now the reason, while playing with "myFrontController" I noticed that links like http://myfrontcontroller/admin/new-post can be accessed without being logged in. An unwanted intruder knowing that path can post something like "I hacked your site!"
Solution:
I have verifications of authentication scattered in different places, for this reason I missed to check this situation. It would be nice to have one point where all requests should be checked.
I added in router.xml a new field called "levelOfSecurity". If the value of this field is "all" accessing a certain page does not require authentication. If "levelOfSecurity" is set to "admin" than a verification is made.
A path in router.xml looks now like this:
<path>/edit/post/{slug}</path>
<levelOfSecurity>admin</levelOfSecurity>
<path_regexp>/\/edit\/post\/[\w\-]+/i</path_regexp>
<controllerClass>Blog</controllerClass>
<action>editPost</action>
A new static method was added to LoginUser class:
public static function accessAllowed($levelOfSecurity)
{
$flag=false;
if ($levelOfSecurity=='all') {
$flag=true;
return $flag;
}else {
$flag=self::ValidateLoginAdmin();
return $flag;
}
}
In FrontController::findPath() method after checking if a path exists also it is verified the access authorisation:
if (($route->path==$path) {
if (LoginUser::accessAllowed($route->levelOfSecurity)))
Good job! For Sharing your best ideas... I will refer the people to best learning and training Institute for online courses... click the below link:
ReplyDeleteshort courses in pakistan
react and react native
sorting algorithms c++
graphic designing course online in pakistan
mern stack development course
php web development course
ecommerce solutions