I'm looking to create an admin backend for a website and I'd like each administrator to have their own personal URL to their admin folder which they can specify upon registration, the folder name they type will then be saved in a MySQL database.
I'd then like a .htaccess file to be able to read the URL a user enters and if it's in a users 'admin folder' field in the database it'll rewrite a folder name (for this examplpe we'll call it 'admin') so the user can use their own URL from the database but redirect them to /admin.
For example..
Username - Folder name
richard - myhiddenfolder
A .htaccess file should then grab the current logged in users folder name (set by something like $_SESSION['folder_name']) and load /admin, still displaying the users folder name in the browsers address bar.
Edit
Sorry, my overall question is, how can I grab the session var 'folder_name' and parse it in the .htaccess file to rewrite a folder called 'admin'.
Technically something like that is possible using either mod_rewrite or just plain ol' symlinks (if you got the permissions to do so).
If you go with mod_rewrite, you'll find RewriteMap convinient. However, declarations of RewriteMaps cannot be made in a per-directory Context (this includes .htaccess files), so you need to change the http servers configuration, which is probably not what you want.
You could still change the .htaccess from within your php script each time a user changes his custom folder name. You would then generate rules like:
RewriteCond %{HTTP_COOKIE} (^|;|\s)custom_folder=custom/path(;|$)
RewriteRule /custom/path /admin
This requires the custom path to be set as a cookie. Sadly, there is no way to refer to the cookies value in the RewriteRule test (only in the substitition which is not what we want).
Also make sure that the custom paths do not conflict with any real paths, as that would break the site for the corresponding user.
For symlinks, every time a user changes his admin folders name, you create/remove/update the symlink for him. Of course you still had to check for admin permissions in the admin scripts, as the symlinks are global.
Independent from which method you choose, make sure you check for admin privilegues in your admin scripts.
Edit:
My reply was a little too early for the edited question, so an answer to that would be: It's not possible to directly access php session data from within an .htaccess. You could try to play around with prg: RewriteMaps though.
Related
I have an installed WordPress website.
I'm working on the site, therefore, I want to show a constructor page for the internet user. I have created a page which called first.html and I change the .htaccess file like below
#Alternate default index page
DirectoryIndex first.html
Now when I enter my domain name on the browser I can see the first.html. This is working properly.
I'd like to see my changes by entering the domain and page name on the browser like
www.mydomain/index.php
or
www.mydomain/wp-content/themes/XXXTHEME/index.php
However, my theme pages don't work.
How can I achieve to do this?
Instead of making changes in .htaccess, I'd suggest you to use this plugin : https://wordpress.org/plugins/maintenance/
Simply name your html file "index.html"
Web servers most commonly parse the index.html file firstly (unless told otherwise) and if it is not found, it proceeds to index.php
This also allows you to simply change that ".html" part to ".php" to see the website you are working on, without installing plugins that clutter your database or making unnecessary changes to your .htaccess file.
I want safe links and hide files from persons who dont know about the exact file. (like a dropbox link to a file)
I have question about security of apache2 related to this:
if i want to have access on files, if i know the filename, but dont want other people to have access via "browsing" this file, is it safe if i create a index.php in every folder without content and set apache2 to show index.php for the default index-page?
if i browse www.mytestpage.com/secretfolder/ i get without the empty index.php a list of all secretfiles12345.zip there.
if i specify index.php apache2 shows a emtpy page but i can still access mytestpage.com/secretfolder/secretfiles12345.zip .
guarantees this, that only persons who know the exact filename of secretfiles12345.zip has access to the file?
(very sorry for my bad english :) )
You need to set
Options -Indexes
in Apache2 configuration to prevent directory listings. You can do this in the global configuration file or in .htaccess.
Background: An empty index file (this need not be a php file, it could be a .html as well) only prevents access if you access the url without a trailing slash. Then Apache uses the default (index). If you have this trailing slash, it assumes that you really want to know what files are in the directory and retrieves the list - if you do not instruct it otherwise (with Options -Indexes, see above).
Since a week I cant access files in a WordPress sub-folder through a php curl function. Interestingly it works when accessing the file with a browser. When adding a 'fake' user agent header it works with the php curl function too. But I need other users to be able to retrieve the file without this hack.
I believe a WordPress update made those sub-folders more secure by restricting access to only valid user agents (Browsers). Also I believe that a specific htaccess configuration for this sub-folder will open it up again for all user agents, but I have no idea how to write such a htaccess config.
Does anyone have a clue?
Thanks
Aleks
So I'm on a 15-day trial of my (already paid) webhosting and they seem very good, at least they did until I got my FTP.
I have a php script that needs a folder outside of the root directory
Example:
website root:
/users/websites/public_html/ <- folder which users / browsers have access to
The script needs a folder here:
/users/websites/ <- above the root
for example /users/websites/sensetive_data/ <- browsers cannot acces this
but that's impossible on my web-host "because it's a shared hosting" <- their answer. And they can't change the root path.
So I cannot create any directories or files above /users/websites/public_html/
So, well, to no cancel my trial immediately, maybe I will try to do it in another way, I want to use htacces to restrict acces to a directory, and all the files in it and it's subdirectories,
So I can move the 'sensetive_data' folder to /users/websites/public_html/sensetive_data
I want it to redirect to the main page (so when accessing /users/websites/public_html/sensetive_data/* [http://example.com/sensetive_data/*] it will go to /users/websites/public_html/ [http://example.com/],
so even if the user knows the exact url, he/she will be redirected. How can I accomplish that?
If you want to do a redirect for a folder, say /users/websites/sensitive_data/
create a file in that folder called .htaccess and add the following (and specify the url to redirect to)
Options -Indexes
ErrorDocument 403 http://mysite.net/
In /users/websites/sensetive_data/.htaccess write:
Deny From All
For your whatever PHP script you need to change it yourself.
I have a system that has both a front end and an administration area.
currently i am giving the admin area a subdomain.
what i'd like to do it have it as a sub directory, e.g http://domain.com/admin
but the admin area is set up to be placed in root.
can i put something in my .htaccess to make the sub directory "/admin" think its the root?
If you have access to subdomains, you could place the admin interface under admin.domain.com, and use domain.com/admin as a redirect.
It's horrid, but so the software's requirement on placement.
I don't think so. First, neither 'DocumentRoot' nor 'Alias' can occur in .htaccess.
But anyway, if you think about it, by the time it reads your .htaccess it's interpreted the paths, so it's too late to change them.
I'm not sure if you might be able to do what you want with rewriting.