Restrict HTTP access in CakePHP

0
votes

I have a Controller class that extends from AppController in CakePHP. And this Controller class has a public function .. lets say testFunc()

    class xyzController extends AppController {
          ..
          ..
          public function testFunc($params, $auth_username)
          {
                 ..
                 ..
          }
    }

I have made this function public since I need to call it from another Controller that too extending from AppController.

class abcController extends AppController {
      ..
      ..
      public function callingFunc()
      {
             ...
             $controller = new xyzController($this->request, $this->response);
             $controller->testFunc($params, $username);
      }
      ..
      ..
}

But since I made it public, I see that testFunc() is accessible using curl command for the below https path

https://[ip_address]/xyz/testFunc/arg=test/root

As you can see, the above path takes "root" as argument to testFunc() and gives full access to anyone using the above path in curl command.

My requirement is to remove this security issue.

I am totally new to PHP and CakePHP. Can someone please give any pointers to how I can proceed?

2
phpclasssecuritywebcakephp

2 Answers

2
votes

"I need to call it from another Controller". This is almost never actually true, it usually indicates a flawed design. If testFunc is not meant to be accessed through a browser, then move it to somewhere that both controllers can access it without it being a public member. For example, make it a protected (or even private) member of your AppController, or if it's doing model-specific stuff, maybe it can be moved to that model's table class.

0
votes

The solution is pretty simple.

public function _testFunc($params, $auth_usernmae) will do the magic.

In Cakephp, if the function has an underscore as prefix, then it cannot be accessed using URI but can be accessed internally from other functions.