Page 1 of 1
Implementing a quick administrative function
Posted: Sat Dec 30, 2006 1:24 pm
by Ambush Commander
I need to implement some administrative functions, and fast. So there's no time to go off with login pages and user tables and the whole kaboodle. It's a mostly anonymous user application, no registration at all, so there never was a need for user tables. But we've been receiving a huge spam attack (ineffectual, since it's only plaintext messages) which is not very convenient.
I'm thinking there should be an admin password in the config file, and if you want to do admin functions like banning ips and keywords, you need to produce it. How secure is this?
Posted: Sat Dec 30, 2006 3:39 pm
by Corvin
If the config file is outside of the document root it's secure, but imo the most secure and fastest way to protect some files is to put them into an own directory and protect them via .htaccess and .htpasswd.
Posted: Thu Jan 04, 2007 6:33 am
by Mordred
I agree with
Corvin on htaccess, with some added notes:
1. You can restrict files even if they are in the same directory.
2. .htpasswd belongs outside of the htdocs tree, but if you can't put it there, you must protect it.
Here's an example:
Code: Select all
<FilesMatch admin.php>
AuthName "What have you eaten today?"
AuthType Basic
AuthUserFile /home/..../www/www/..../..../htpasswd
Require valid-user
</FilesMatch>
<FilesMatch htpasswd>
Deny from all
</FilesMatch>
Posted: Thu Jan 04, 2007 5:41 pm
by Ambush Commander
I'm using a front controller, so htaccess really isn't workable (Besides, it's not portable across webservers).
Posted: Thu Jan 04, 2007 6:10 pm
by Christopher
In cases like this I usually mock a Gateway class with a simple finder interface -- then I can add a database later if I want. It can be pretty trivial. Something like:
Code: Select all
class UserGateway {
function findUser($username, $password) {
$rows = array(
'admin1' => array(
'userid' => 'admin1',
'password' => 'yohohoanda',
'permissions' => 'whatever',
),
'admin2' => array(
'userid' => 'admin2',
'password' => 'barrelofrum',
'permissions' => 'whatever',
),
);
$username = pref_replace('/[^a-zA-Z0-9]/', '', $username);
$password= pref_replace('/[^a-zA-Z0-9]/', '', $password);
if (isset($rows[$username]) && ($rows[$username]['password'] == $password)) {
return $rows[$username];
}
}
}
Just make the interface match what you normally use.
PS -I believe that HTTP authentication can be defeated by brute force techniques on many server configs so I might shy away from those unless you know what you are doing.
Posted: Thu Jan 04, 2007 6:15 pm
by Ambush Commander
Hmm... that's an interesting idea, if I'm working on refactoring code that's something I could easily do. Although, I wonder why you also put the password in the finder.
Posted: Thu Jan 04, 2007 6:21 pm
by Luke
arborint, you always have such cool ideas... I love it.
Posted: Thu Jan 04, 2007 7:07 pm
by Christopher
Ambush Commander wrote:Hmm... that's an interesting idea, if I'm working on refactoring code that's something I could easily do. Although, I wonder why you also put the password in the finder.
As I said, you can change the interface to match your log-in logic. For really simple sites I just have it check in the Model if there is a record where both match. You could just as well do
$row = $user->findByKey($username) and check the password in the returned row.
Posted: Thu Jan 04, 2007 7:12 pm
by Ambush Commander
The interface I'm using is:
Code: Select all
$this->Plugin->verifyAdmin($post['colocus_password'])
Where $this->Plugin is a sort of configuration object. Obviously doesn't lend very well to the method, but refactoring would be needed anyway if you wanted to extend the functionality.
Posted: Thu Jan 04, 2007 7:30 pm
by Christopher
Code: Select all
class UserGatewayPlugin {
function verifyAdmin($password) {
$rows = array(
'admin1' => 1,
'admin2' => 1,
);
$password= pref_replace('/[^a-zA-Z0-9]/', '', $password);
if (isset($rows[$username])) {
return true;
}
}
}
Posted: Thu Jan 04, 2007 8:37 pm
by Ambush Commander
But the rest of the plugin is all settings like database login parameters, configuration on view timers, path to web root, etc. It makes no sense to put that sort of logic there. Don't worry about it though, I've got a good idea from your original idea on how to go about doing it.
By the way, what's pref_replace.

Posted: Thu Jan 04, 2007 10:38 pm
by Christopher
Ambush Commander wrote:By the way, what's pref_replace.

Regular expressions with a lisp I guess?!?