Routing with Multiple Subdomains

By Jonathan Bradley (pmansion)
Ever want to have multiple admin routes and use subdomains?
After wanting to integrate 3 different parts of an application I wrote into one app, I looked and found some great pieces of information in the bakery on having more then one admin route and using admin routes on sub domains. So after playing and wanting an easier way to define everything.

Resources Used on the Bakery
Using CAKE_ADMIN for multiple user types - By Egbert Teeselink
Hosting Admin URLs on a Subdomain - By Nate

This is what we added to our boostrap.php

Component Class:

Download code <?php 
$url explode('.',env('HTTP_HOST'));

switch ($url[0]) {
    case "admin":             
        Configure::write('Routing.admin''admin');
        $_GET["url"] = "admin/" str_replace('admin/','',$_GET['url']);
    break;
    case "support":        
        Configure::write('Routing.admin''support');
        $_GET["url"] = "support/" str_replace('support/','',$_GET['url']);
    break;
    default:
}
?>

Feedback is appreciated and hope this helps other people.

 

Comments 769

CakePHP Team Comments Author Comments
 

Comment

1 Security

If your authorization solution just checks empty($this->params[Configure::read('admin')]) to know if you are in admin section or not, then you have potencial security hole in your app, because (example) support_index() will be not 'prefixed and protected' action when hostname admin.example.com will be called - try to call admin.example.com/somecontroller/support_index and support.example.com/somecontroller/admin_index
Posted Aug 31, 2008 by Who Cares
 

Comment

2 Rewriting the url

Hmm you are saying:

$_GET["url"] = "admin/" . str_replace('admin/','',$_GET['url']); But what if, for example, you would like to do this:
admin.example.com/users/edit/admin/1
Where the 3rd parameter is the username to be edited (because you want the url to be more readable by humans (who is user with id "1"?), and the last is the id of the user to be edited.
With your code, the url will be users/edit/1 after your code completed, in which case the 4th parameter you expect to be the id, is empty.

It is not a security hole, not directly at least, but I think you should not simply replace any 'admin/' in your url (or 'support/'...), you just have to look if the first part of the url matches any of your admin types.
A possible solution could be this:


<?php 
$url explode('.',env('HTTP_HOST')); 
$adminTypes = array('admin''support');

foreach ($adminTypes as $type) {
    if ($url[0] == $type) {
        Config::write('Routing.admin'$type);
        $pts split('/'$_GET['url']);
        if ($pts[0] == $type) {
            unset($pts[0]);
        }
        $_GET['url'] = $type '/' implode('/'$pts);
    }
}
?>

Btw. the code is not tested but I think it should do the trick.

Anyway "Who Cares" makes an excellent point of how unsecure this approach is using the current version of CakePHP and (if I'm not mistaking), it is not about to change in the direct future releases.
Posted Dec 20, 2008 by Sacha