CODEWITHSUNDEEP
joomlajoomla1.5access-control
Bobby Jack
Bobby Jack

Reputation: 16018

Joomla access control and modified index.php

I'm working with a Joomla site, whose index.php file has been modified to alter the default access control behaviour. Bearing in mind this is Joomla 1.5, this line:

$mainframe->authorize($Itemid);

has been wrapped in some conditional code that looks up the remote IP and doesn't call authorize() if the IP is within a whitelisted range [*]. This is to allow seamless access to certain resources without logging in.

Although I'm new to Joomla development, I'm guessing this isn't the best way of doing that. For one, it probably means re-patching index.php in the event of a future Joomla upgrade. What's the best alternative approach to intercepting the authentication check?

[*] This is another mystery: the IP management takes place on the front-end via a component called 'IP filters'. There's a totally empty directory at components/com_ipfilter, but a more featureful-looking one at administrator/components/com_ipfilter. The component stores data in a table named kip_filters (why the 'k'?) and the authorUrl listed in the component's manifest file goes to a spammy-looking like pharma page. All quite worrying ...

Upvotes: 1

Views: 648

Answers (3)

Brent Friar
Brent Friar

Reputation: 10609

What you are looking for is a system plugin which would not require hacking any files. There are quite a few system events that you can use to trigger your plugin and do your IP test, then determine whether to continue displaying the page or redirecting the visitor to some sort of warning page.

Take a look at the documentation on system events - http://docs.joomla.org/Plugin/Events/System

--- More detail ---

Looking at the API execution order, the call to authorize() is going to happen no matter what (http://docs.joomla.org/API_Execution_Order). Since the default behavior is to call authorize() you are going to have to trick it into returning a positive response.

Your plugin should be triggered by onAfterInitialise and you should manipulate JUser. When you call authorize() the functions needs a user id which it gets from the JUser object and the getuser() function. All you need to do is create a user with the permissions you want, then have the plugin set the user ID so that authorize() returns true.

Upvotes: 2

SMacFadyen
SMacFadyen

Reputation: 3165

I'd advise changing your table prefix from jos_ to something random, like hsfdaghadfg_

You can also relocate your configuration file for extra security.

Upvotes: 0

Raeed Pioneer
Raeed Pioneer

Reputation: 1

For the security problems you can use these steps and i will give you a good ip filter component as well :

First of all this is the most important component you can have for joomla : http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/16363 it gives you the most important ways to avoid any hacking or spamming or php bugs and also provide a very fast upgrade for your joomla site :) also it offering a IP Blacklisting manager which is a complete solution for your problem.

Hope this post will give someone a light ! Regards, Raeed Rabie

Upvotes: 0

Related Questions