Jump to content
EuroDomenii

Changing admin urls with certains values determines not found behaviour for client logged in area

Recommended Posts

How to replicate

Change /config/routes.php  ( see https://www.blesta.com/forums/index.php?/topic/3469-ability-to-change-admin-url/)
Configure::set("Route.admin", "a"); 

2) Clearing blesta cache from /cache/1/nav/1 

3) The 404 not found behaviour is present in many pages from logged client area:
-/client/accounts/
-client/contacts/ ( when there’s no contact) 
-lack of invoice, transactions listings from dashboard 

Debugging

The issue was deceiving, because logged in as admin, everything works flawless. 

Only after debugging the issue, logged in as a client, I’ve noticed at first run that $controllerClass comes as ClientAccounts, but at subsequent runs comes wrongly as  AdminAccounts, that triggers the _404 not found controller, due to lack of permissions.

See \web\vendors\minphp\bridge\src\Lib\Dispatcher.php, public static function dispatch($requestUri, $isCli = false)

if (!class_exists($controllerClass) || !method_exists($controllerClass, 'preAction')) {
            throw new Exception(
                sprintf('%s is not a valid controller', $controllerClass),
                404
            );
        }

So for, values like “a”, or “in” for admin_url triggers that behavior. I guess that some kind of escaping is required, but I haven't investigated further. 

On the other hand , Configure::set("Route.admin", "x");  works flawless. Also, there’s not problem with longer admin paths. But, lazy/efficient admins might prefer one letter url admin. 

Thx!
 

Share this post


Link to post
Share on other sites
44 minutes ago, Blesta.Store said:

Yeah you are setting a route which conflicts with other urls.
 

The "buggy" admin_urls  ( a,x,in) doesn't exist in blesta. Anyway, blesta should have a validation in place.

 

44 minutes ago, Blesta.Store said:

Why do you want something short that any tom, dick or harry could guess?

There are pro and cons security throughobscurity.

 

 

From my point of view, anyway I shall restrict by IP the admin url. I just love the idea of having one letter admin_url. It's fast and fun. 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...