Hello.

I have included some custom php scripts into couch administration. It works well, however the file which is included <iframe src="../s_admin.php" width="770" height="600" frameborder="0"> is also visible through direct path http://www.url.com/s_admin.php.

Is there any varible which is set just when logging through administration that I can include ?

I have tried with
if ( !defined('K_COUCH_DIR') ) die()

but it`s not working (it openes empty page)

[KK]

Hi,

The simplest way, I think, would be to use JavaScript on the page being embedded to check if has a parent IFRAME or not and then behave accordingly. This can, of course, be bypassed by the visitor by disabling JS.

The foolproof method would be the PHP/Couch way where we pass a 'nonce' (a unique token that cannot be guessed or fudged) as parameter to the embedded page which then can check for this token and alter its behavior.

I'm assuming you are trying to prevent only the general public from directly accessing the page; is that correct?
The person with access to the admin-panel can always find the token used and access the page directly, so there is no way of enforcing this for her.

Please let me know if you require help with the discussed solution.
I'll need to know exactly how you are embedding the page in the admin-panel for that.

I'm assuming you are trying to prevent only the general public from directly accessing the page; is that correct?
The person with access to the admin-panel can always find the token used and access the page directly, so there is no way of enforcing this for her.

Yes, that`s correct.

My code is:

Code: Select all

<?php require_once( '../management/cms.php' ); ?>
        
<cms:template title='Admin panel' >

<cms:editable name='admin_content' type='message' >
<p style="font-size:14px;">Admin panel<br /></p>

<iframe src="../s_admin.php" width="770" height="600" frameborder="0">

</iframe>

</cms:editable> 

 
</cms:template>


<?php COUCH::invoke(); ?>   

Appreciate your help !!

[KK]

OK, so if the requirement is only to limit access to admins we can simply add an authentication check to the file -

Add the following at the very beginning of the 's_admin.php' being embedded in the IFRAME -

<?php

define( 'K_COUCH_DIR', str_replace( '\\', '/', dirname(realpath(__FILE__) ).'/couch/') );
require_once( K_COUCH_DIR.'header.php' );

$AUTH->check_access( K_ACCESS_LEVEL_ADMIN, 1 );

// at this point we have a logged in user with admin privileges

echo 'hello!';

The code above assumes that 's_admin.php' resides in the site's root and the admin folder is named 'couch' - please adjust it to match your site's settings.

Does this help?

Yes,
this is it!

thank you!!!

[KK]

You are welcome