Topic: Controller security when using dispatcher for front-end

Guys,

Sorry to be asking this question but i've trawled the forum looking for answers.

I'm building a very basic plugin which allows a site visitor to add their email address to mailing list (database table). (There could well be a plugin out there but it's a learning exercise more than anything)

Now, I've got the plugin "kind of" working however I'm a bit unsure of how to deal with security in the controller. I only want two methods from the controller to be available to a site user i.e. there are two dispatcher rules - one for add and one for unsubscribe. At the moment, it only works when I'm logged in to the backend as the following is being called with the constructor:

    private static function _checkPermission() {
        AuthUser::load();
        if ( ! AuthUser::isLoggedIn()) {
            redirect(get_url('login'));
        }
    }

Any help or a point in the right direction would be appreciated.

Cheers,
Chris

Re: Controller security when using dispatcher for front-end

That check effectively denies access to any of the methods as long as you're not logged in.

You can keep the call to AuthUser::load() in the constructor. This loads user session information (i.e. are you logged in and if so who are you) into memory.

Then you can add something like the following code to the top of any function that you don't want to allow frontend access to.

if ( ! defined('CMS_BACKEND') || CMS_BACKEND == false) {
    if ( ! AuthUser::isLoggedIn() && ! AuthUser::hasPermission('admin_view')) {
        redirect(get_url('login'));
    }
}

This code will basically redirect you to the login page if you are not in the backend AND are not logged in AND don't have the "admin_view" permission. (which you would have if you could view the backend.

Wolf CMS founder and lead developer
Please always check the Support forums and Wiki before asking. (My Ohloh account.)
Like Wolf CMS? Consider making a financial contribution or see our financial report first.

Re: Controller security when using dispatcher for front-end

Martijn,

Thanks so much for clarifying this for me. Front end seems to be working fine whilst blocking access to the back-end controller methods smile

Thanks for your help,
Chris

Re: Controller security when using dispatcher for front-end

You're welcome smile

Wolf CMS founder and lead developer
Please always check the Support forums and Wiki before asking. (My Ohloh account.)
Like Wolf CMS? Consider making a financial contribution or see our financial report first.