Protect view access - best method in J3.0
60 views
Skip to first unread message
Adam Rifat
May 22, 2013, 8:49:30 AM5/22/13
to joomla-de...@googlegroups.com
Hi,
Does anyone know of an easy way to protect a view from direct access in Joomla 3.0?
I understand that the controller is used to authorise edits, holds the edit id and then redirects to the view. The edit id is then check in the session before the item is saved.
However, what if I don't want the view accessed at all, regardless of whether it would be saved or not?
For example, I don't want people to be able to browse directly to a url like.
/administrator/index.php?option=com_helloworld&view=unitversions&layout=edit&unit_id=158733
I'm thinking a plugin is the best way to go...
Any suggestions appreciated.
Thanks,
Adam
Does anyone know of an easy way to protect a view from direct access in Joomla 3.0?
I understand that the controller is used to authorise edits, holds the edit id and then redirects to the view. The edit id is then check in the session before the item is saved.
However, what if I don't want the view accessed at all, regardless of whether it would be saved or not?
For example, I don't want people to be able to browse directly to a url like.
/administrator/index.php?option=com_helloworld&view=unitversions&layout=edit&unit_id=158733
I'm thinking a plugin is the best way to go...
Any suggestions appreciated.
Thanks,
Adam
Mark Dexter
May 22, 2013, 12:24:23 PM5/22/13
to joomla-de...@googlegroups.com
One option is to use the session token. You put a hidden field on the form from which you will allow access to the view. Then in the controller, you check for that session input before displaying the view. You can see some examples of this in core.
For example, in the file /cms-trunk/administrator/components/com_categories/views/categories/tmpl/default.php
you will see this code:
<?php echo JHtml::_('form.token'); ?>
That creates the hidden input field using the session token as the field name as <token name>=1.
Then in the file administrator/components/com_categories/controllers/categories.php in the saveorder() and rebuild() methods you see this code:
JSession::checkToken() or jexit(JText::_('JINVALID_TOKEN'));
That just checks that this variable exists in the request query and is true (1). So this helps ensure that you can only get to these tasks coming from a known point (the form with the token).
Hope that helps. Mark
For example, in the file /cms-trunk/administrator/components/com_categories/views/categories/tmpl/default.php
you will see this code:
<?php echo JHtml::_('form.token'); ?>
That creates the hidden input field using the session token as the field name as <token name>=1.
Then in the file administrator/components/com_categories/controllers/categories.php in the saveorder() and rebuild() methods you see this code:
JSession::checkToken() or jexit(JText::_('JINVALID_TOKEN'));
That just checks that this variable exists in the request query and is true (1). So this helps ensure that you can only get to these tasks coming from a known point (the form with the token).
Hope that helps. Mark
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send an email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
For more options, visit https://groups.google.com/groups/opt_out.
Adam Rifat
May 22, 2013, 1:41:35 PM5/22/13
to joomla-de...@googlegroups.com
Thanks Mark, your suggestion got me digging around and I think what I am after is implemented in the components main controller.php file. For example, in the categories controller the below seems to prevent you from browsing directly to the edit form.
// Check for edit form.
if ($vName == 'category' && $lName == 'edit' && !$this->checkEditId('com_categories.edit.category', $id))
{
// Somehow the person just went to the form - we don't allow that.
$this->setError(JText::sprintf('JLIB_APPLICATION_ERROR_UNHELD_ID', $id));
$this->setMessage($this->getError(), 'error');
$this->setRedirect(JRoute::_('index.php?option=com_categories&view=categories&extension='.$this->extension, false));
return false;
}
Thanks. Adam
On Wednesday, 22 May 2013 17:24:23 UTC+1, Mark Dexter wrote:
// Check for edit form.
if ($vName == 'category' && $lName == 'edit' && !$this->checkEditId('com_categories.edit.category', $id))
{
// Somehow the person just went to the form - we don't allow that.
$this->setError(JText::sprintf('JLIB_APPLICATION_ERROR_UNHELD_ID', $id));
$this->setMessage($this->getError(), 'error');
$this->setRedirect(JRoute::_('index.php?option=com_categories&view=categories&extension='.$this->extension, false));
return false;
}
Thanks. Adam
On Wednesday, 22 May 2013 17:24:23 UTC+1, Mark Dexter wrote:
One option is to use the session token. You put a hidden field on the form from which you will allow access to the view. Then in the controller, you check for that session input before displaying the view. You can see some examples of this in core.
For example, in the file /cms-trunk/administrator/components/com_categories/views/categories/tmpl/default.php
you will see this code:
<?php echo JHtml::_('form.token'); ?>
That creates the hidden input field using the session token as the field name as <token name>=1.
Then in the file administrator/components/com_categories/controllers/categories.php in the saveorder() and rebuild() methods you see this code:
JSession::checkToken() or jexit(JText::_('JINVALID_TOKEN'));
That just checks that this variable exists in the request query and is true (1). So this helps ensure that you can only get to these tasks coming from a known point (the form with the token).
Hope that helps. Mark
On Wed, May 22, 2013 at 5:49 AM, Adam Rifat <ad...@littledonkey.net> wrote:
Hi,
Does anyone know of an easy way to protect a view from direct access in Joomla 3.0?
I understand that the controller is used to authorise edits, holds the edit id and then redirects to the view. The edit id is then check in the session before the item is saved.
However, what if I don't want the view accessed at all, regardless of whether it would be saved or not?
For example, I don't want people to be able to browse directly to a url like.
/administrator/index.php?option=com_helloworld&view=unitversions&layout=edit&unit_id=158733
I'm thinking a plugin is the best way to go...
Any suggestions appreciated.
Thanks,
Adam
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-general+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages