0

This is a common question, but I'm a bit stupid so other's methods didn't work out for me. I want to deny access to following subdirectories (note: main site is located like this http://localhost/en/ and every subdir is staring with /en/ where .htaccess file is located): reg_auth_rec_del/ajax/ (and all it's files), media/parts/, media/scripts/, media/translations/. But the thing is that all these files are used on all pages (for example media/parts/footer.php is used on all pages and can be viewable on pages like index.php and others. So I want to prevent user from viewing all these files directly.

I mean so I don't want them to be directly viewable.

Now, I'm just using this way, but I think that it's not a good way to handle things: 

$admins = array("192.168.0.100", "192.168.0.101", "192.168.0.102");
$ip = $_SERVER['REMOTE_ADDR'];

if(in_array($ip ,$admins, true)){
    $_SESSION['PERMISSIONS'] = "ADMIN";
} else {
    $_SESSION['PERMISSIONS'] = "USER";
}

//So if $_SESSION['PERMISSIONS'] == "USER", I can decide if I'd ike to open access to some files, and
//if the file can be viewable by user
Eugen Eray
  • 113
  • 1
  • 12
  • I don't know the `if(defined...)` trick. – Eugen Eray May 05 '17 at 08:45
  • i think this other post could help http://stackoverflow.com/a/11729748/6208463 – Jason Joslin May 05 '17 at 08:45
  • *how* are they used on pages? If a file like *media/translations/en-US.php* is simply included in a header PHP file you can just deny access (`Deny from all` in Apache 2.2, `Require all denied` in 2.4) but if *media/scripts* contains JavaScript files that are used on the front end you'll have to allow access or they won't be able to run client-side; best you can do there is disable directory indexing. – CD001 May 05 '17 at 08:46
  • @CD001 Yes, scripts are connected to files like this `` and parts are included to my other pages. And I want to deny access to `ajax` folder (all except `helper.php`) just in case if server crashes to prevent users from viewing all session data – Eugen Eray May 05 '17 at 08:49
  • 1
    If you put these other files in a folder outside of the webroot there is no way they can hit them in the browser.. eg point apache to set this as the webroot `/mysite/public` and then put the partial templates in `/mysite/templates/` – Jason Joslin May 05 '17 at 08:49
  • *"I mean so I don't want them to be directly viewable."* - you can't really prevent that though; if a JS file (for instance) can be loaded in through a ` – CD001 May 05 '17 at 08:51
  • JS has to be public in order for the browser to load it. no way you can hide them. but you can hide php files – Jason Joslin May 05 '17 at 08:51
  • @JasonJoslin Here we go. Updated. – Eugen Eray May 05 '17 at 08:57
  • does you mean those files are included internally? ` Require all denied ` – Deadooshka May 05 '17 at 11:27

1 Answers1

1

The best way is as @JasonJoslin suggested in comments, move the PHP files outside your document root. You can still include them in other PHP files.

For Javascript files, style sheets, and images, there is no way to deny access, because these files are included in the HTML responses, and the clients must be able to load them somehow.

If you want to keep files inside the document root and forbid access anyway, you can either use the old style Order, and Allow/Deny, or apply the new directives as described in Access control. Put an .htaccess file in subdirectories reg_auth_rec_del/ajax, etc.

Require all denied

This should deny access to the directories and all their subdirectories as well.

Olaf Dietsche
  • 72,253
  • 8
  • 102
  • 198