Jump to content

template advice


digitalgod

Recommended Posts

hey guys,

I've been working on a template system and just recently noticed that if you type the full location of a file, you can acess it even if you're not an admin.

all templates are located in template/name_of_page/  so for example the default admin page is located here template/admin.php/default_main.php usually you'd have to sign in for that template to load and if you go on mysite.com/admin.php you'll be redirect to a login page if you're not logged on or not an admin.

But if you type mysite.com/template/admin.php/default_main.php you'll be on the main page of the admin panel without logging in, a person that goes there can't really do anything because everything appears broken and the links don't work properly.

My question is, what would be the best way of not letting someone go straight to a template file like that? There's no way for someone to find out where the template files are located but I rather be cautious
Link to comment
Share on other sites

Whenever I do an admin script, I create a login.php script that authorizes a user.  I use login.php so I can distinguish between user's and their access levels as admins.  Some admins will have more control over the admin section than others.  This is helpful if you have several admins on your website, but you want to limit them to what they can do.  The way to implement this is to include the login script in every file in the admin folder and the admin/templates folder as well. 

Also, you can just place htaccess files in the admin directories, giving a simpler way of restricting access.  PM me if you would like help developing a login.php script, I would be more than happy to help you out.

Marker5a
Link to comment
Share on other sites

[quote author=pixy link=topic=102356.msg406142#msg406142 date=1154290615]
Maybe you should store templates outside of the main public_html directory? That way they can't be accessed directly through the browser, but can be accessed through the direct path.
[/quote]

that sounds like a good idea, I'll give it a shot

[quote author=marker5a link=topic=102356.msg406143#msg406143 date=1154290633]
Whenever I do an admin script, I create a login.php script that authorizes a user.  I use login.php so I can distinguish between user's and their access levels as admins.  Some admins will have more control over the admin section than others.  This is helpful if you have several admins on your website, but you want to limit them to what they can do.  The way to implement this is to include the login script in every file in the admin folder and the admin/templates folder as well. 

Also, you can just place htaccess files in the admin directories, giving a simpler way of restricting access.  PM me if you would like help developing a login.php script, I would be more than happy to help you out.

Marker5a
[/quote]

I already have a login.php and every user type has his own level, so for example level 0 is superadmin and when he logs in he has access to everything. Wouldn't it become really annoying to have to login everytime you change pages? I think the htaccess files also sounds like a good idea
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.