Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
How to setup these route(s)?
  • pompexpompex
    Hi,

    I'm having an admin panel controller, which due to the security reasons I am spoofing through the route.

    So I set the route like:

    'admin259591(:everything)' => ['admin$1', 'name' => 'admin'],


    Then in the controller before method I do check if request is actually coming from the admin route - if not, throwing an 404.

    $request = Request::active();

    if ( $request->route->name !== 'admin' )
    {
       throw new HttpNotFoundException();
    }


    This setup leads to several problems which I'd like to solve:

    1. How to handle 404 error thrown in the admin route scope? Currently only the general one will work,
    2. How can I then create more admin panel routes (following the spoofed route)?
      Consider this URL: /      admin259591/rest/users which I'd like to point to the /admin259591/validation/users. Is there any way to get the admin panel spoofed segment within other route? Eg. 

      '(:myadminpanelsegment)/rest/users' => ['myadminpanelsegment/validation/users', 'usersValidation'],

      (this is because I would like to use Router::get('usersValidation') later in my controllers to get the URI)

      I could define a variable containing 'real' admin segment, however this will be a problematic case.
  • HarroHarro
    If you want more routes, just define them. Just take into account that routes are processed in the sequence they are defined, so define more specific routes before less specific ones, the first match gets it.

    A 404 is a 404, what special handling do you want/need if thrown from the admin controller?
  • pompexpompex
    Yep I know that, but I want the "real" admin route to be configureable later, so I can't just type admin259591 on every route.. thats why I'd like to use some magic here getting the admin segment from class const or db config.

    Regarding a 404 or other errors routes: I want different page to bo rendered if thrown from the admin controller. 
  • HarroHarro
    Apart from the fact that security by obscurity is never a good idea, perhaps it is better to solve this problem with a rewrite rule in your webserver configuration, so

    rewrite "admin<something>" to "admin"
    return a webserver 404 for /admin/* requests
    -or- rewrite /admin/* to something like /admin/throw404

    This way your security trick is completely transparent for your application.

    As to the 404, the easiest method is to use a custom exception:

    class AdminNotFoundException extends HttpNotFoundException
    {
        public function response()
        {
            return new \Response(\View::forge('/admin/404'), 404);
        }
    }

    and throw that instead.
  • pompexpompex
    I was thinking about the webserver configuration to be honest, however I don't know if in the future, I will have the access to the webserver configuration (very unlikely, but can happend since there are still some providers not allowing to rewrite, especially when using nginx or any other web server than apache). 

    On the other hand, why is it obscure? I think that it's really flexible way to have the admin directory hidden and easly configureable through the constant or env variable.  
  • HarroHarro
    Accepted Answer
    If they don't support rewrites, Fuel doesn't work anyway, as it requires rewrites to work (there are some ways around it, but they result is very ugly URL's).

    "Security by obscurity" means you are trying to make things secure by hiding, and not by blocking unauthorised access. It is a standard term for this practice: https://en.wikipedia.org/wiki/Security_through_obscurity

    If you want to define all the routes, fine. It's standard PHP, so nobody says you have to hardcode it, you can easily use a variable or a constant instead of the string "admin674162"...
  • pompexpompex
    Thanks Harro :) 
  • pompexpompex
    I forgot about the 404 thing:

    Your 'new' exception idea is nice. However I think it makes the code a little bit out of the Fuel schema. I mean, I would like to keep Fuel ideas. Fuel implements _404_ route already. In the future I would scratch my head thinking where the heck are admin 404 or other errors handled, because _404_ route will only work for the "default" controller since admin errors will be hardcoded.

    I was thinking of doing it in the route scope, using closures:

    '_404_' => function() {
    if (Request::active()->route->name == 'admin') {
    return Response::forge('admin/templates/404');
    }
    // Return site default 404 instead
            return Response::forge('site/templates/404');
    }

    This would be a lot clearer and not hardcoded, wouldn't it? 

    Unfortunately, the example I gave wont work since it seems like the Request isn't even initialized at the moment of closure run :-( (Request::active() is null). Odd. Are there any possibilities to access current request / controller throwing an error or at least uri segments so I could somehow distinguish what to load in a route closure? 



  • HarroHarro
    The route closure is executed at the same place a controller is normally called, in the execute() method. And the first thing that happens there is that "active" is set.

    I've just tested this with the following route,

        'test' => function() { var_dump(\Request::active()); },

    and that dumps the request object without problems?

    Request::active()->route also has a valid Route object, and it's name is set (to "test").
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion