[PHPTAL] protecting html templates
Werner
lists at mollentze.co.za
Fri Nov 7 11:54:05 CET 2008
I agree 100% with Kornel
As a sidenote: I you are using Apache and would like to restrict access
to template sources altogether, simple drop an .htaccess file with the
following content in the template source directory:
Deny From All
You probably know this anyways, but I'm just sharing this common
principle for restriciting public access on a per-directory basis,
especially for things containing sensitive stuff (like configuration
files with database connection params). This, off course, only works if
the server is set up to allow .htaccess overrides for the given virtual
host / document root / directory / whatever.
Have fun,
Werner
Kornel Lesiński wrote:
> On 07-11-2008 at 09:38:13 Zbyněk Nevrlý <znevrly at gmail.com> wrote:
>
>> Hi,
>> I am using PHPTAL for seperate business logic from presentation. So
>> there
>> are controllers, model classes and views (HTML templates). Problem is
>> there views/*.html are accessible from direct calling through URL (I
>> need to have views in public_html for Javascript and Ajax dependencies).
>
> This shouldn't matter. Filesystem paths of template files are
> unrelated to URLs - you can put PHPTAL templates anywhere you want,
> even if templates use Javascript and other files from public_html.
>
>> Is there any common practices to protect those *.html from
>> unauthorized users?
>
> You should move template files outside document root or configure web
> server to deny direct access to these files (browsers *never* need to
> download template files).
>
>> <?php session_start(); if (!$auth->isAuthorized) { redirect to login
>> form here} ?>
>>
>> Is possible to do that way?
>
> It sort-of is, but that's a wrong problem to solve :)
>
More information about the PHPTAL
mailing list