Security in Brimbox is simple. It is based on two principles.
First, modules or files that are included (or required) should be protected from direct access by a constant. The constant
BASE_CHECK is used to deny direct access to files that are included and is set by the controller:
if (!defined('BASE_CHECK')) exit();
The second is checking that a
$_SESSION variable is set and has the proper user permission:
$main object is available:
However in custom post files you may have to check manually:
if (isset($_SESSION['username']) && in_array($_SESSION['userrole'], array("4_bb_brimbox", "5_bb_brimbox"))): endif;
post.php controller files will just check that a
$_SESSION is set.
If you wish to further lock down Brimbox you can use
.htaccess files in the directories:
Deny from all
allow from 127.0.0.1
Allow from all
Finally, Brimbox files are stored in public directories.
Having a file included by
index.php below the public web directory in location
"../../include.php" is no more secure than including a file by
index.php in the public web directory
"include.php" that is protected by a constant.
If a hacker can set a constant he can set an include (or require).
Brimbox approaches security head on and assumes that hiding things is confusing not secure.