12 replies to this topic

[Eox]

Hello!

 

I am looking for a solution to require an authentication on only one controller of an MVC framework.

How can I require an authentication on for example only the admin controller?

 

So that only

http://www.example.com/admin

http://www.example.com/admin/home

http://www.example.com/admin/users

and so on...

requires the authentication. 

 

I want to make my admin dashboard more secure with this additional authentication. But I dont know how I can do it when all run over the single index.php 

 

I hope you understand what I am looking for, cause my english is not the best 

[Gaddam]

It's the same as with the login check, you added a role to the database and you can check that role for accessing the administration areas. Jesse talks about this in his MVC framework tutorials on youtube.

[Eox]

It's the same as with the login check, you added a role to the database and you can check that role for accessing the administration areas. Jesse talks about this in his MVC framework tutorials on youtube.

 

Yes, I know how I can write an login but I want to get an additional login. So I want to use the authantication which you can use with a htaccess and a htpasswd file, the one of the webserver. 

[Jeff]

That would have nothing to do with PHP really.

You just setup the static .ht files in the directory you want to protect.

The apache .ht login will run first before the actual PHP login page for the MVC loads.

 

I assume this is like for an admin login, where you just have 1 or 2 users that login there.

[Eox]

That would have nothing to do with PHP really.

You just setup the static .ht files in the directory you want to protect.

The apache .ht login will run first before the actual PHP login page for the MVC loads.

 

I assume this is like for an admin login, where you just have 1 or 2 users that login there.

Yes, I know. I know how I can do it with a directory or only a single file, but in this case it it only one controler. 

So I cannot protect my index.php file, because all other controler shouldn't be protectet 

 

So I need a solution, where I can require an authentication when only someone visit www.example.com/admin/ and all other admin sites like www.example.com/admin/home or www.example.com/admin/options. But all these sites run only about the index.php file and /admin ist not a directory.

[Jeff]

This

www.example.com/admin/home

and

www.example.com/home

 

Should not be mixed controllers.

admin should be a new App or the hold thing could be HMVC.

[Eox]

This

www.example.com/admin/home

and

www.example.com/home

 

Should not be mixed controllers.

admin should be a new App or the hold thing could be HMVC.

 

Where is www.example.com/admin/home and www.example.com/home a mixed controller?

 

The first one it calling the home action in the admin controller and the second one the index action of the home controller.

 

Its MVC.

[Jeff]

Right.

But the best way to do apps like this with an admin interface is full separation.
EG.

app/controllers/
admin/controllers/

Now you can have .htaccess and .htpass for admin/

This type of separation if done right should separate common admin functions and classes from the normal app.
Thus lowering resource use when not needed.

[Eox]

Right.

But the best way to do apps like this with an admin interface is full separation.
EG.

app/controllers/
admin/controllers/

Now you can have .htaccess and .htpass for admin/

This type of separation if done right should separate common admin functions and classes from the normal app.
Thus lowering resource use when not needed.

 

Yes, but all is still running over a single PHP file (e.g. index.php)  

[Jeff]

It should not matter.

 

Just add the .htpass requirement to the root .htaccess for the path /admin

[Eox]

It should not matter.

 

Just add the .htpass requirement to the root .htaccess for the path /admin

 

This doesnt work.

[Simi]

Like you say ...  i think you can't do this in .htaccess because the directory does not exist in file system.

Currently working on a project in ZF and I tried this thing.
Try to use <Location> in your vHost config file (not .htaccess). Worked for me.

<VirtualHost *:80>
.
.

# /admin - URL you want to protect
<Location /admin>
# full path to .htpasswd where the user:password is stored. I think is not a good idea to be in /var/www
AuthUserFile /var/www/.htpasswd
AuthType Basic
AuthName "My Secret Folder"
Require valid-user
</Location>
.
.
</VirtualHost>

 

.htpasswd looks like

simi:$apr1$btEbGwMp$oB1c5Hwr2N6LthMAx/sHi1

[Jeff]

It should work the same in the .htaccess file. Its done with other MVC frameworks all the time.

# password-protect single file<Files my_controller>AuthName "my_controller"AuthType BasicAuthUserFile /home2/afolder/.htpasswds/.htpasswdrequire valid-user</Files>

Try it before your rewrite code.
But like I said before if this was for production, separation would be better.