tags:

views:

670

answers:

2
Q: 

CakePHP + admin routes + .htaccess + production mode

Hi all!

The following site shows a (kinda hack-ish) way to protect an admin route with .htaccess:

http://snook.ca/archives/servers/password%5Fprotect%5Fadmin/

If I understand it correctly, it only works because CakePHP runs a check for the 'real' file presence before it processes its own URL logic. So, when you request yoursite.com/admin, it checks for the default document in the (real, since we've created it) /admin dir, and this check triggers the authentication.

My issue is: the 'hack' works OK if I set my debug level to '1' or higher. If I set it to Production Mode ('0'), I just get a cake-interpreted HTTP 401 (Access Denied) error.

So, my question is: is there any way to make this 'hack' work with the debug level set to zero?

+2  A: 

Check out the SecurityComponent which lets you set up basic HTTP Authentication with a few lines of code in your beforeFilter. Should be a lot more robust than this hack.

I do agree though that the AuthComponent is terrifically easy to set up. You just copy and paste the snippets for the UserController and login form, run the table creation script, try to log in, take the encoded password from the SQL log, put it in the database and add Auth to the component list in your controller. Takes less than 3 minutes and makes a better impression to the client (in case anybody cares ;)).

deceze  2009-10-23 00:44:34
You people might be right, I am probably over-resisting using the Auth component lol. In any case, this SecurityComponent also looks interesting to me, I think I'll give it a shot. If it turns out over-complicated or under-featured, I guess I'll just stop complaining and try the Auth component. =D
Rafael Almeida  2009-10-23 13:23:45
A: 

I didn't know how to add this as a comment to the original question, but I have a case where I am using Auth for my app, but still need .htpasswd to work for AwStats which is in the root of my hosting account along with my CakePHP Application.

My issue is exactly how the OP describes whereby if I set debug to 1 everything works fine, but if I set it to 0 for production I get Error 401 when I try to access /awstats.

So can anyone throw some light on what Cake is doing different with the request when debug is 0 compared to when it is set to 0?

Thanks,

Paul.

WebbedIT  2010-04-21 20:35:05

related questions

Is it safe to deny access to .ini file in .htaccess?
.htaccess redirect performance
How can I fix my .htaccess to resolve URLs that don't end in slashes
Find the page that the user intended to see
Configuring wordpress .htaccess to view subfolders
Getting file name of file directed by .htaccess?
Apache htaccess on Win2k is not being processed
How do I stop visitors directly accessing the directories in my website?
What happens first? .htaccess or php code?
Apache/php guru needed! htaccess files, php, includes directories, and windows XAMPP configuration nightmare!
Edit php.ini with .htaccess
Do you have to restart apache to make re-write rules in the .htaccess take effect?
Apache Mod-Rewrite Primers?
Dynamic IP-based blacklisting
.htaccess mod rewrite 301-redirect
How to make a web app appear at the root of the site?
Is it possible to use .htaccess to send six digit number URLs to a script but handle all other invalid URLs as 404s?
How do I use .htaccess to redirect to a URL containing HTTP_HOST?
How to convert Apache .htaccess files into Lighttpd rules?
Wildcard Subdomain Exceptions
Redirecting non-www URL to www
How can I use `scp` to deploy a website's `.htaccess` file?
How do I add a MIME type to .htaccess?
Mod-Rewrite loading files behind the DocumentRoot
.htaccess directives to *not* redirect certain URLs