Friday, January 3, 2014

RE: Is admin_ prefix a security or just convenient?

More streamlined:

 

Cut out a few snips but general overview:

/************************************************************

       * CHECK VALID LOGIN AND 1 USER PER ACCOUNT

       * ***********************************************************

       *

       * @access public

       * @return bool

       *

       *

       ************************************************************/

       public function isAuthorized() {

              $access = false;

              $active_session = ClassRegistry::init('UserManager.User')->field('active_session', array('id' => $this->AuthUser->getUserId()));

              //only allow access to 1 user per account

             

              //SAME USER ACCOUNT LOGGED IN TWICE?

              if($active_session != $this->AuthUser->getActiveSession()) {

                     $this->Session->destroy();

                     $this->Session->setFlash(__('You have been logged out. Your account has been logged into from another location.', true), 'default', array('class' => 'flash_fail'));

              }

             

 

              if (isset($this->params['prefix']) && $this->params['prefix'] != null) {

                    

                     $access_role = $this->AuthUser->getRoleName();

                     $this_prefix = $this->params['prefix'];

                    

                     if ($this_prefix != $access_role){

                           $this->Session->destroy();

                           $this->Session->setFlash(__('You have been logged out. Permission Denied.', true), 'default', array('class' => 'flash_fail'));

                           $this->redirect('/login');

                     }

 

                     if($this->AuthUser->getUserId() && $this_prefix === $access_role) {

                           $this->layout = 'admin';                       

                           $access = true;

                     } else {

                           $access = false;

                           $this->Session->destroy();

                           $this->Session->setFlash(__('You have been logged out. Permission Denied.', true), 'default', array('class' => 'flash_fail'));

                           $this->redirect('/login');

                     }

 

              } else {

                     // no prefix set

                     $access = true;

              }

              return $access;

       }

 

 

 

Dave Maharaj

Freelance Designer | Developer

www.movepixels.com  |  dave@movepixels.com  |  709.800.0852

 

From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Stephen S
Sent: Friday, January 03, 2014 3:16 PM
To: cake-php@googlegroups.com
Subject: Re: Is admin_ prefix a security or just convenient?

 

Prefix is a convenience in which you can have the option to build up security for it, that's why it's named prefix rather than admin, it's just admin is a very common prefix.

 

Some people like to make their prefixes obscure (Security through obscurity), i.e. rather than type admin/users/index you would need to type acp/users/index (i.e. admin control panel).

 

As for the security part of things, there are all sorts of ways of going about this. A common way is to check if the admin prefix is in use in your app controller's beforeFilter method, if the user is accessing the admin prefix then you simply check their user_type_id field.

if($this->params['prefix'] == 'admin') {
   if($this->Auth->user('user_type_id') != Configure::read('AdminTypeId)) {
      // User does not have access to this page, redirect them etc
   }
   $this->layout = 'name_of_admin_layout';
}

 

In the above example I used Configure::read, that's just because I don't like to check against foreign keys in my code, I prefer to store them in a config file so if I reference an id more than once - I don't need to update it several times.

 

The benefit of this is that you only ever have to check if the person accessing /admin/... has permission in once place. You're basically just checking the user's session in a very non-taxing way which has no real strain on the application.

isAuthorized can be used on login ideally, an example usage would be if you had a banned or deleted field in your database table, you can check these fields and decide what to do, for example:

 
         public function isAuthorized($user) {
                 if($user['deleted']) {
                          $this->Session->setFlash('This account has been deleted.', null, null, 'auth');
                          $this->redirect($this->Auth->logout());
                          return false;
                 }
 
                 return true;
         }
 
 
 
In short I think using a prefix is pretty useful and great for admin sections, you can separate your admin methods from your regular methods and you don't need to check permissions all over the place. The worst admin integration would have to be once I saw somebody made an admin controller which was pretty nasty...

 

On 3 January 2014 15:52, David Deley <deleydavid@gmail.com> wrote:

I understand a user can not directly access mysite.com/users/admin_index

 

Instead they go to mysite.com/admin/users/index

 

But, is there any automatic security checking? Because anyone can type in mysite.com/admin/users/index 

 

Is it still up to the UsersController to filter out unauthorized users? such as have an IsAuthorized setting, or the function admin_index still needs to check the user's privileges and reject the request if the user doesn't have admin privs?

 

In which case I don't see the advantage of using the admin_ prefix. Seems like a big security problem if every controller function needs to check the user's privileges. Is there a better way I'm missing?

 

Can IsAuthorized somehow say only admin users are allowed to run admin functions?

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
 
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.



 

--
Kind Regards

 Stephen Speakman

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
 
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.

No comments: