Jump to content

Archived

This topic is now archived and is closed to further replies.

digitalgod

template advice

Recommended Posts

hey guys,

I've been working on a template system and just recently noticed that if you type the full location of a file, you can acess it even if you're not an admin.

all templates are located in template/name_of_page/  so for example the default admin page is located here template/admin.php/default_main.php usually you'd have to sign in for that template to load and if you go on mysite.com/admin.php you'll be redirect to a login page if you're not logged on or not an admin.

But if you type mysite.com/template/admin.php/default_main.php you'll be on the main page of the admin panel without logging in, a person that goes there can't really do anything because everything appears broken and the links don't work properly.

My question is, what would be the best way of not letting someone go straight to a template file like that? There's no way for someone to find out where the template files are located but I rather be cautious

Share this post


Link to post
Share on other sites
Maybe you should store templates outside of the main public_html directory? That way they can't be accessed directly through the browser, but can be accessed through the direct path.

Share this post


Link to post
Share on other sites
Whenever I do an admin script, I create a login.php script that authorizes a user.  I use login.php so I can distinguish between user's and their access levels as admins.  Some admins will have more control over the admin section than others.  This is helpful if you have several admins on your website, but you want to limit them to what they can do.  The way to implement this is to include the login script in every file in the admin folder and the admin/templates folder as well. 

Also, you can just place htaccess files in the admin directories, giving a simpler way of restricting access.  PM me if you would like help developing a login.php script, I would be more than happy to help you out.

Marker5a

Share this post


Link to post
Share on other sites
[quote author=pixy link=topic=102356.msg406142#msg406142 date=1154290615]
Maybe you should store templates outside of the main public_html directory? That way they can't be accessed directly through the browser, but can be accessed through the direct path.
[/quote]

that sounds like a good idea, I'll give it a shot

[quote author=marker5a link=topic=102356.msg406143#msg406143 date=1154290633]
Whenever I do an admin script, I create a login.php script that authorizes a user.  I use login.php so I can distinguish between user's and their access levels as admins.  Some admins will have more control over the admin section than others.  This is helpful if you have several admins on your website, but you want to limit them to what they can do.  The way to implement this is to include the login script in every file in the admin folder and the admin/templates folder as well. 

Also, you can just place htaccess files in the admin directories, giving a simpler way of restricting access.  PM me if you would like help developing a login.php script, I would be more than happy to help you out.

Marker5a
[/quote]

I already have a login.php and every user type has his own level, so for example level 0 is superadmin and when he logs in he has access to everything. Wouldn't it become really annoying to have to login everytime you change pages? I think the htaccess files also sounds like a good idea

Share this post


Link to post
Share on other sites
Well
If you incorprate sessions into your login.php, it would work the same exact way as htaccess would work, except htaccess has that stupid popup window.  With login.php using sessions, you can customize your login page as well.

Marker5a

Share this post


Link to post
Share on other sites
yeah I already have sessions, only problem now is that I have over 100 php files and I have to add a session check on each of them...

thanks for your help

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.