Forum Moderators: phranque
I have a problem on one of my websites, I have a cms system based on fckeditor and a programmer used this solution to have editable page on the site.
Editable pages look like: /mycmspage.php?page=1
AND if I replace the "page" by "edit" anybody can edit the page and this sucks big time! And the programmer told me there are no solutions to this :(
Is this true, no way to protect access, using .htaccess or something?
If you can use F-fox, which allows you to set your user agent, you could set Apache to only allow access to a specific user agent. IOW when you couple F-fox's user agent switching and the ability to deny access to all other user agents, you can 'virtually' password protect a page or directory through a useragent check.
I use this for log files stored in applications such as Webalizer... I have an htaccess file that says if the user agent is not Justin's UserAgent (or whatever custom string I tell Fire-Fox to be), forbid access. Then I use F-fox to switch my user agent to a custom string, so I do not have to type passwords to view the log files on any of my sites.
RewriteCond %{QUERY_STRING} edit [NC]
RewriteCond %{USER_AGENT} !WHATEVERYOUWANT
RewriteRule ^mycmspage\.php$ - [F]
Rule = if someone requests the page mycmspage.php, check the conditions and complete the rewrite if the conditions are true. In this case forbid access.
Condition 1: if the query string (stuff after the?) contains the word edit [AND]
Condition 2: if the useragent is not WHATEVERYOUWANT (which obviously should be a string only you would use set in Fire Fox EG 1r4E5wu7)
- [F] = Serve a Forbiden (403) Error
Hope this makes sense and helps.
Justin
Added: the need to be a little creative with this instead of a regular .htaccess solution seems to be the page=1 should allow access to all users (if I am understanding correctly) and regular .htaccess protection of the file would create the need for all users, even of page=1 to need a password. (Assumed, because otherwise password protection is easy and obvious through regular .htaccess protection.)
If I may ask you something else, is it possible to retrict the access to a user that would come from a certain page/area of my site?
For instance it would be someone that loged in so it is a trusted person that could edit safely pages.
My restricted area looks like siteUrl/admin/settings.php
Can I tell the server to let the user "edit" if he comes from there?
Thanks again!..sorry for newbie questions :)
Ok I managed to do it myself, hey I love mod_rewrite :) Im better than I though, Thanks!
