bake.php is some sort of command line script that the windows user in
me is trying to avoid. But I think it has a wizard type thing in your
web browser too, at least I remember something like that somewhere. I
think it's easier to just make the classes yourself, because you have
to go check what the script outputted anyways. "Baking" I think is
general, making anything with cakePHP.
The admin route has nothing to do with security. all it does is add
the word "admin" in your url, with the controller and action still
working as they should (instead of being pushed back to parameters or
something).
Here is my example use of the admin route, not sure if it's entirely
secure:
1. I am the only person that needs to be logging in on my site. I'm
the only admin, and users are just visitors. So I added in this to
validate a password of my choice in the model
var $validate = array(
'password' => '/^MyPaSsWoRd$/',
);
2. Create an admin action for login. this would display the form.
function admin_login() {
//ask for password, create session if password is correct
//if no session, show form so you can login
//if yes session, you're already logged in, redirect to index
if ($this->Session->check('Admin')) {
//logged in, redirect to admin_index
$this->redirect('/admin/urls/');
} elseif($this->Url->validates($this->data) && $this->data) {
//form was submitted, and the password matched regex in
model. so
lets create session
$this->Session->write('Admin',1);
$this->redirect('/admin/urls/');
} else {
//no data and no session... you probably just opened it!
//do nothing, just let the view display the ... uh..
view
$this->validateErrors($this->Url);
$this->render();
}
}
3. of course, you'll be putting a form with a password field named
Url/password in views/urls/admin_login.thtml
<form method="post" action="<?php echo
$html->url('/admin/urls/login')?>">
<b>Enter the password:</b>
<?php
echo $html->tagErrorMsg('Url/password', '<span class="error">Wrong
Password</span>');
echo $html->password('Url/password', array('size' => '20'));
?>
<p>
<input type="submit" value="Go!" />
</form>
4. in admin_index(), i just check the session exists. if it does, show
it's view, with admin related tools or stats or whatever. if not,
redirect the user back to the login form. Urls is my controller name,
in case you didn't catch that. Replace that with your own!
5. because i'm the only person that needs to login, i don't even
provide a link to the login form on my site. i manually type
example.com/admin/urls/login in my browser.
6. you could use a bit of obfuscation, by changing the word "admin" to
something less obvious when you enable the admin routes. This would be
good if you don't want people guessing obvious urls, and you don't want
them to know you even have an admin section. Name it something weird,
so the url would be example.com/lskdfjksdf/urls/login . Not really
more secure, but it'll keep your nosey url hackers from finding the
login form. I know this is what OsCommerce relied on for security last
time I tried it.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/cake-php
-~----------~----~----~----~------~----~------~--~---
