I agree 100% with Kornel

As a sidenote: I you are using Apache and would like to restrict access to template sources altogether, simple drop an .htaccess file with the following content in the template source directory:

   Deny From All

You probably know this anyways, but I'm just sharing this common principle for restriciting public access on a per-directory basis, especially for things containing sensitive stuff (like configuration files with database connection params). This, off course, only works if the server is set up to allow .htaccess overrides for the given virtual host / document root / directory / whatever.

Have fun,

Kornel Lesiński wrote:
On 07-11-2008 at 09:38:13 Zbyněk Nevrlý <[EMAIL PROTECTED]> wrote:

I am using PHPTAL for seperate business logic from presentation. So there are controllers, model classes and views (HTML templates). Problem is there views/*.html are accessible from direct calling through URL (I need to have views in public_html for Javascript and Ajax dependencies).

This shouldn't matter. Filesystem paths of template files are unrelated to URLs - you can put PHPTAL templates anywhere you want, even if templates use Javascript and other files from public_html.

Is there any common practices to protect those *.html from unauthorized users?

You should move template files outside document root or configure web server to deny direct access to these files (browsers *never* need to download template files).

<?php session_start(); if (!$auth->isAuthorized) { redirect to login form here} ?>

Is possible to do that way?

It sort-of is, but that's a wrong problem to solve :)

PHPTAL mailing list

Reply via email to