Open perspolise opened 6 years ago
Hi,
You have two options already built in the framework;
Redirect::to("admin/login"); exit(); // <- DONT forget this
if ($admin_check) {
# Admin level
$this->View->render('admin/login');
exit(); // <- DONT forget this
} else {
(do something else)
exit(); // <- DONT forget this
}
Either should work. Ensure you put an admin check in the admincontroller for the login function/page and all other pages you want admin locked down, otherwise someone could just go directly to the admin/login page skipping your admin redirect check
Hope that makes sense
@CaptainKarma
Hi, I change Admincontroller to this:
public function __construct()
{
parent::__construct();
// special authentication check for the entire controller: Note the check-ADMIN-authentication!
// All methods inside this controller are only accessible for admins (= users that have role type 7)
Auth::checkAdminAuthentication();
}
public function index()
{
if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {
$this->View->render('admin/index','admin');
} else {
Session::destroy();
Redirect::to('admin/login'); // redirect to new version of admin login
exit();
}
}
public function login()
{
if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {
Redirect::to('admin/index');
} else {
$this->View->render('admin/login','admin');
}
}
And Edit Auth.php in core folder to:
public static function checkAdminAuthentication()
{
// initialize the session (if not initialized yet)
Session::init();
}
This worked now But I have two Question:
One: This Method is true and safe? Two: For each page authurize I need to Add if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {}else{}
this is hard work :D
I'm wondering if you meant AND.. (Session::userIsLoggedIn() && Session::get("user_account_type") == 7) So is the user logged in AND they are admin
At the moment you have an OR statement (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) Which is saying the user is logged in OR they are admin, so they would pass true just by being a logged in user.
Add exit(); after the render statement just for safety, so my original posting.
Otherwise looks as strong as I would be able to write lol testing is the only way to be sure, try something like Netsparker Community Edition
You right For OR / AND But I Move This Code From Auth.php
- Line 56
To index()
and login()
. You have Any Idea for Question Two!
For Question Two...
The controller as part of building the page will run the public function __construct everytime, so whatever is in the Auth::checkAdminAuthentication function will run each page load.
public function __construct()
{
parent::__construct();
Auth::checkAdminAuthentication();
}
So it depends what changes you make to that function
Cheers
I add login page for separate admin login page from user login page. I edit Auth class line 60:
header('location: ' . Config::get('URL') . 'login');
toheader('location: ' . Config::get('URL') . 'admin/login/');
But in output i see this error:
How do fix this problem?!