Brimbox Logo Brimbox Version 2.3.4 Released

Security>>

Security in Brimbox is simple. It is based on two principles.

First, modules or files that are included (or required) should be protected from direct access by a constant. The constant BASE_CHECK is used to deny direct access to files that are included and is set by the controller:

if (!defined('BASE_CHECK')) exit();

The second is checking that a $_SESSION variable is set and has the proper user permission:

If the $main object is available:

$main->check_permission(array("4_bb_brimbox", "5_bb_brimbox"));

However in custom post files you may have to check manually:

if (isset($_SESSION['username']) && in_array($_SESSION['userrole'], array("4_bb_brimbox", "5_bb_brimbox"))):

endif;

The index.php and post.php controller files will just check that a $_SESSION is set.

If you wish to further lock down Brimbox you can use .htaccess files in the directories:

Order deny,allow
Deny from all
allow from 127.0.0.1
<Files "javascript.js">
Allow from all
</Files>

Finally, Brimbox files are stored in public directories.

Having a file included by index.php below the public web directory in location "../../include.php" is no more secure than including a file by index.php in the public web directory "include.php" that is protected by a constant.

If a hacker can set a constant he can set an include (or require).

Brimbox approaches security head on and assumes that hiding things is confusing not secure.

Updated: 2017-09-10

Documents

Definitions