Implementing a quick administrative function
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Implementing a quick administrative function
I need to implement some administrative functions, and fast. So there's no time to go off with login pages and user tables and the whole kaboodle. It's a mostly anonymous user application, no registration at all, so there never was a need for user tables. But we've been receiving a huge spam attack (ineffectual, since it's only plaintext messages) which is not very convenient.
I'm thinking there should be an admin password in the config file, and if you want to do admin functions like banning ips and keywords, you need to produce it. How secure is this?
I'm thinking there should be an admin password in the config file, and if you want to do admin functions like banning ips and keywords, you need to produce it. How secure is this?
If the config file is outside of the document root it's secure, but imo the most secure and fastest way to protect some files is to put them into an own directory and protect them via .htaccess and .htpasswd.
Last edited by Corvin on Sat Apr 05, 2008 3:02 am, edited 1 time in total.
I agree with Corvin on htaccess, with some added notes:
1. You can restrict files even if they are in the same directory.
2. .htpasswd belongs outside of the htdocs tree, but if you can't put it there, you must protect it.
Here's an example:
1. You can restrict files even if they are in the same directory.
2. .htpasswd belongs outside of the htdocs tree, but if you can't put it there, you must protect it.
Here's an example:
Code: Select all
<FilesMatch admin.php>
AuthName "What have you eaten today?"
AuthType Basic
AuthUserFile /home/..../www/www/..../..../htpasswd
Require valid-user
</FilesMatch>
<FilesMatch htpasswd>
Deny from all
</FilesMatch>- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
In cases like this I usually mock a Gateway class with a simple finder interface -- then I can add a database later if I want. It can be pretty trivial. Something like:
Just make the interface match what you normally use.
PS -I believe that HTTP authentication can be defeated by brute force techniques on many server configs so I might shy away from those unless you know what you are doing.
Code: Select all
class UserGateway {
function findUser($username, $password) {
$rows = array(
'admin1' => array(
'userid' => 'admin1',
'password' => 'yohohoanda',
'permissions' => 'whatever',
),
'admin2' => array(
'userid' => 'admin2',
'password' => 'barrelofrum',
'permissions' => 'whatever',
),
);
$username = pref_replace('/[^a-zA-Z0-9]/', '', $username);
$password= pref_replace('/[^a-zA-Z0-9]/', '', $password);
if (isset($rows[$username]) && ($rows[$username]['password'] == $password)) {
return $rows[$username];
}
}
}PS -I believe that HTTP authentication can be defeated by brute force techniques on many server configs so I might shy away from those unless you know what you are doing.
(#10850)
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
As I said, you can change the interface to match your log-in logic. For really simple sites I just have it check in the Model if there is a record where both match. You could just as well do $row = $user->findByKey($username) and check the password in the returned row.Ambush Commander wrote:Hmm... that's an interesting idea, if I'm working on refactoring code that's something I could easily do. Although, I wonder why you also put the password in the finder.
(#10850)
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
The interface I'm using is:
Where $this->Plugin is a sort of configuration object. Obviously doesn't lend very well to the method, but refactoring would be needed anyway if you wanted to extend the functionality.
Code: Select all
$this->Plugin->verifyAdmin($post['colocus_password'])- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Code: Select all
class UserGatewayPlugin {
function verifyAdmin($password) {
$rows = array(
'admin1' => 1,
'admin2' => 1,
);
$password= pref_replace('/[^a-zA-Z0-9]/', '', $password);
if (isset($rows[$username])) {
return true;
}
}
}(#10850)
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
But the rest of the plugin is all settings like database login parameters, configuration on view timers, path to web root, etc. It makes no sense to put that sort of logic there. Don't worry about it though, I've got a good idea from your original idea on how to go about doing it.
By the way, what's pref_replace.
By the way, what's pref_replace.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US