Restrict access to configured routes on a Magento installation.
Tested with Magento 1.9.x+ but most likely will work with earlier versions.
The module will prevent access to any route specified in the configuration.
Pull requests welcome.
The route name is basically a fully lowercase version of the value returned by
getFullActionName() in the controller. If you want to block a controller action you can
temporarily put die(strtolower($this->getFullActionName())); at the top of that action to
find what the correct value for the configuration is.
As a development agency we inherit a lot of code, sometimes from other agencies, other times from 3rd party extensions bought by the merchant. Often times such extension offer some nice features but aren't always written with security or best practices in mind. Sadly, it's not uncommon to find code which allows unauthenticated access to:
- Trigger cache clearance
- Trigger re-indexing
- Expose customer information
- Insert data into the database
- Upload files to the server
- View log information
- Run arbitrary code
Obviously we don't want such code sitting around on sites we maintain. In an ideal world we would simply remove the extension, but it's not always financially viable to the merchant for us to re-code the existing functionality in a more secure manner. Attempting to patch or rewrite can also be time consuming and make it difficult to update should the original vendor release a new version.
The solution then? Prevent the insecure code being accessed.
Not really. The one and only purpose of this extension is enabling you to block access to controller actions. That being said, there may be non-security related reason for which you wish actions to be inaccessible:
- Frontend features you don't want the customer to use, but can't fully disable.
- Backend features with insufficiently implemented ACL you don't wish people to trigger.