Referer attribute
1Presentation
This attribute is used to protect access to a controller or action based on the value of the HTTP REFERER header.
2Parameters
The attribute offers several parameters:
- $domain: (bool|string|array) Indicates the referer's domain (if true, the domain must be identical to the current domain), or a list of domains (the referer must be equal to one of them).
- $domainSuffix: (string|array) Referrer's domain suffix, or list of suffixes.
- $domainRegex: (string) Regular expression to be validated by the referer's domain.
- $domainVar: (string) Name of the template variable containing the domain to which the referer's domain must correspond.
- $domainConfig: (bool) Set to true to use the refererDomain key from the x-security extended configuration (in the etc/temma.php file).
-
$https: (bool|string)
The effect of this parameter depends on its value:
- null: (default value) The referer can be in HTTP or HTTPS.
- true: The referer must be HTTPS.
- false: The referer must be HTTP.
- 'same': The referer must use the same protocol (HTTP/HTTPS) as the current site.
- $path: (string|array) Path or path list of the referer.
- $pathPrefix: (string|array) Path prefix of the referer, or list of prefixes.
- $pathSuffix: (string|array) Path suffix of the referer, or list of suffixes.
- $pathRegex: (string) Regular expression that the referer's path must validate.
- $pathVar: (string) Name of the template variable containing the referer's path.
- $pathConfig: (bool) Set to true to use the refererPath key from the x-security extended configuration (in the etc/temma.php file).
- $url: (string|array) URL or list of URLs of the referer.
- $urlRegex: (string) Regular expression to be validated by the referer's URL.
- $urlVar: (string) Name of template variable containing referrer URL.
- $urlConfig: (bool) Set to true to use the refererUrl key from the x-security extended configuration (in the etc/temma.php file).
- $redirect: (string) URL to redirect users to if they don't have the right to access the controller or action (instead of displaying an error page).
- $redirectVar: (string) Name of template variable containing URL to redirect user to.
- $redirectConfig: (bool) Set to true to use the refererRedirect key in the x-security extended configuration (in the etc/temma.php file).
3Redirection priority
If access is denied, the user can be redirected. To determine the redirection URL, the attribute applies the following order of priority:
- If the $redirect parameter is set, it is used.
- If the $redirectVar parameter is defined, and it contains the name of an existing, non-empty template variable, its content is used.
- If the etc/temma.php file contains an x-security extended configuration, and this contains a refererRedirect key, its content is used.
- If the etc/temma.php file contains an x-security extended configuration, and this contains a redirect key, its content is used.
4Configuration
To ensure that all Referer attributes redirect to the same URL, simply set the refererRedirect key in the x-security extended configuration of the etc/temma.php file:
[
'x-security' => [
'refererRedirect' => '/failure'
]
]To ensure that the redirect URL is the same for the Auth, Method, Referer and Redirect attributes, simply define the redirect key in the x-security extended configuration in the etc/temma.php file:
[
'x-security' => [
'redirect' => '/login'
]
]5Examples
use \Temma\Attributes\Referer as TµReferer;
class Admin extends \Temma\Web\Controller {
// access forbidden for requests without referer
#[TµReferer]
public function action1() { }
// authorized for requests from the same domain only
#[TµReferer(true)]
public function action2() { }
// allowed for 'fubar.com' domain
#[TµReferer('fubar.com')]
public function action3() { }
// same as previous
#[TµReferer(domain: 'fubar.com')]
public function action3bis() { }
// allowed for 'fubar.com' and 'www.fubar.com' domains
#[TµReferer(['fubar.com', 'www.fubar.com'])]
public function action4() { }
// same as previous
#[TµReferer(domains: ['fubar.com', 'www.fubar.com'])]
public function action4bis() { }
// allowed for domains ending in '.fubar.com'.
#[TµReferer(domainSuffix: '.fubar.com')]
public function action5() { }
// allowed for domains ending in '.fubar.com' or '.foobar.com'.
#[TµReferer(domainSuffix: ['.fubar.com', '.foobar.com'])]
public function action6() { }
// allowed for domains that validate the provided regular expression
#[TµReferer(domainRegex: '^test\d?.fubar.(com|net)$')]
public function action7() { }
// authorized for the domain whose name is stored in
// the 'okDomain' template variable
#[TµReferer(domainVar: 'okDomain')]
public function action8() { }
// authorized for the domain defined in the 'refererDomain' key of
// the 'x-security' extended configuration (in the 'etc/temma.php' file)
#[TµReferer(domainConfig: true)]
public function action9() { }
// authorized for an HTTP referer
#[TµReferer(https: false)]
public function action10() { }
// authorized for an HTTPS referer
#[TµReferer(https: true)]
public function action11() { }
// authorized for a referer whose protocol (HTTP/HTTPS)
// is the same as that of the current site
#[TµReferer(https: 'same')]
public function action12() { }
// authorized for a referer with path '/fu/bar.html'.
#[TµReferer(path: '/fu/var.html')]
public function action13() { }
// allowed for a referer with path '/fu.html' or '/bar.html
#[TµReferer(path: ['/fu.html', '/bar.html'])]
public function action14() { }
// allowed for a referer whose path starts with '/fu/'
#[TµReferer(pathPrefix: '/fu/')]
public function action15() { }
// authorized for a referer whose path starts with '/fu/' or '/bar/'
#[TµReferer(pathPrefix: ['/fu/', '/bar/'])]
public function action16() { }
// allowed for a referer whose path ends with '/api.xml'
#[TµReferer(pathSuffix: '/api.xml')]
public function action17() { }
// authorized for a referer whose path ends with '/api.xml' or '/api.json
#[TµReferer(pathSuffix: ['/api.xml', '/api.json'])]
public function action18() { }
// authorized for a referer whose path validates the provided regular expression
#[TµReferer(pathRegex: '/^\/.*testApi.*\.xml$/')]
public function action19() { }
// authorized for a referer whose path corresponds to that stored
// in the 'okPath' template variable
#[TµReferer(pathVar: 'okPath')]
public function action20() { }
// authorized for a referer whose path corresponds to that stored
// in the 'refererPath' key of the 'x-security' extended configuration
// (in the 'etc/temma.php' file)
#[TµReferer(pathConfig: true)]
public function action21() { }
// authorized for a referer whose URL is 'https://www.fubar.com/some/page.html'
#[TµReferer(url: 'https://www.fubar.com/some/page.html')]
public function action22() { }
// allowed for a referer whose URL is 'https://fu.com/bar'
// or 'https://bar.com/fu'
#[TµReferer(url: ['https://fu.com/bar', 'https://bar.com/fu'])]
public function action23() { }
// authorized for a referer whose URL validates the provided regular expression
#[TµReferer(urlRegex: '/^.*$/')]
public function action24() { }
// authorized for a referer whose URL matches that stored in
// the 'okURL' template variable
#[TµReferer(urlVar: 'okURL')]
public function action25() { }
// authorized for a referer whose URL matches that stored in the
// 'refererUrl' key of the 'x-security' extended configuration
// (in the 'etc/temma.php' file)
#[TµReferer(urlConfig: true)]
public function action26() { }
// redirect to the defined URL if there is no referer
#[TµReferer(redirect: '/login')]
public function action27() { }
// redirect to URL defined in 'redirRef' template variable
#[TµReferer(redirectVar: 'redirRef')]
public function action28() { }
// redirect to the URL stored in the 'refererRedirect' key of
// the 'x-security' extended configuration (in the 'etc/temma.php' file)
#[TµReferer(redirectConfig: true)]
public function action29() { }
}