Joomla访问控制和修改的index.php
我正在使用 Joomla 网站,该网站的 index.php 文件已被修改以更改默认的访问控制行为。请记住这是 Joomla 1.5,这一行:
$mainframe->authorize($Itemid);
已包含在一些条件代码中,用于查找远程 IP,并且如果 IP 在白名单范围内,则不会调用 authorize() [*] 。这是为了允许在不登录的情况下无缝访问某些资源。
虽然我是 Joomla 开发的新手,但我猜这不是最好的方法。其一,这可能意味着在未来 Joomla 升级时重新修补 index.php。拦截身份验证检查的最佳替代方法是什么?
[*] 这是另一个谜团:IP 管理通过一个名为“IP 过滤器”的组件在前端进行。 components/com_ipfilter 处有一个完全空的目录,但 administrator/components/com_ipfilter 处有一个功能更丰富的目录。该组件将数据存储在名为kip_filters 的表中(为什么是“k”?),并且组件清单文件中列出的authorUrl 会转到一个看起来像垃圾邮件的药品页面。一切都相当令人担忧...
I'm working with a Joomla site, whose index.php file has been modified to alter the default access control behaviour. Bearing in mind this is Joomla 1.5, this line:
$mainframe->authorize($Itemid);
has been wrapped in some conditional code that looks up the remote IP and doesn't call authorize() if the IP is within a whitelisted range [*]. This is to allow seamless access to certain resources without logging in.
Although I'm new to Joomla development, I'm guessing this isn't the best way of doing that. For one, it probably means re-patching index.php in the event of a future Joomla upgrade. What's the best alternative approach to intercepting the authentication check?
[*] This is another mystery: the IP management takes place on the front-end via a component called 'IP filters'. There's a totally empty directory at components/com_ipfilter, but a more featureful-looking one at administrator/components/com_ipfilter. The component stores data in a table named kip_filters (why the 'k'?) and the authorUrl listed in the component's manifest file goes to a spammy-looking like pharma page. All quite worrying ...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您正在寻找的是一个不需要破解任何文件的系统插件。您可以使用相当多的系统事件来触发插件并进行 IP 测试,然后确定是继续显示页面还是将访问者重定向到某种警告页面。
查看有关系统事件的文档 - http://docs.joomla.org/Plugin/Events /System
--- 更多细节 ---
查看 API 执行顺序,对
authorize()的调用无论如何都会发生 (http://docs.joomla. org/API_Execution_Order)。由于默认行为是调用authorize(),因此您必须欺骗它返回肯定响应。您的插件应该由
onAfterInitialise触发,并且您应该操作JUser。当您调用authorize()时,该函数需要一个从 JUser 对象和getuser()函数获取的用户 ID。您所需要做的就是创建一个具有所需权限的用户,然后让插件设置用户 ID,以便authorize()返回 true。What you are looking for is a system plugin which would not require hacking any files. There are quite a few system events that you can use to trigger your plugin and do your IP test, then determine whether to continue displaying the page or redirecting the visitor to some sort of warning page.
Take a look at the documentation on system events - http://docs.joomla.org/Plugin/Events/System
--- More detail ---
Looking at the API execution order, the call to
authorize()is going to happen no matter what (http://docs.joomla.org/API_Execution_Order). Since the default behavior is to callauthorize()you are going to have to trick it into returning a positive response.Your plugin should be triggered by
onAfterInitialiseand you should manipulateJUser. When you callauthorize()the functions needs a user id which it gets from the JUser object and thegetuser()function. All you need to do is create a user with the permissions you want, then have the plugin set the user ID so thatauthorize()returns true.对于安全问题,你可以使用这些步骤,我也会给你一个很好的 ip 过滤组件:
首先,这是你可以为 joomla 拥有的最重要的组件:
http://extensions.joomla.org/extensions /access-a-security/site-security/site-protection/16363
它为您提供了避免任何黑客攻击、垃圾邮件或 php 错误的最重要方法,并且还为您的 joomla 网站提供非常快速的升级:) 它还提供了 IP 黑名单管理器,这是解决您问题的完整解决方案。
希望这篇文章能给某人带来光明!
问候,
雷德·拉比
For the security problems you can use these steps and i will give you a good ip filter component as well :
First of all this is the most important component you can have for joomla :
http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/16363
it gives you the most important ways to avoid any hacking or spamming or php bugs and also provide a very fast upgrade for your joomla site :) also it offering a IP Blacklisting manager which is a complete solution for your problem.
Hope this post will give someone a light !
Regards,
Raeed Rabie
我建议将表前缀从
jos_更改为随机名称,例如hsfdaghadfg_您也可以 重新定位您的配置文件以提高安全性。
I'd advise changing your table prefix from
jos_to something random, likehsfdaghadfg_You can also relocate your configuration file for extra security.