Home/ Questions/Q 6739641
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T11:30:46+00:00

I’m working with a Joomla site, whose index.php file has been modified to alter

  • 0

I’m working with a Joomla site, whose index.php file has been modified to alter the default access control behaviour. Bearing in mind this is Joomla 1.5, this line:

$mainframe->authorize($Itemid);

has been wrapped in some conditional code that looks up the remote IP and doesn’t call authorize() if the IP is within a whitelisted range [*]. This is to allow seamless access to certain resources without logging in.

Although I’m new to Joomla development, I’m guessing this isn’t the best way of doing that. For one, it probably means re-patching index.php in the event of a future Joomla upgrade. What’s the best alternative approach to intercepting the authentication check?

[*] This is another mystery: the IP management takes place on the front-end via a component called ‘IP filters’. There’s a totally empty directory at components/com_ipfilter, but a more featureful-looking one at administrator/components/com_ipfilter. The component stores data in a table named kip_filters (why the ‘k’?) and the authorUrl listed in the component’s manifest file goes to a spammy-looking like pharma page. All quite worrying …

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What you are looking for is a system plugin which would not require hacking any files. There are quite a few system events that you can use to trigger your plugin and do your IP test, then determine whether to continue displaying the page or redirecting the visitor to some sort of warning page.

    Take a look at the documentation on system events – http://docs.joomla.org/Plugin/Events/System

    — More detail —

    Looking at the API execution order, the call to authorize() is going to happen no matter what (http://docs.joomla.org/API_Execution_Order). Since the default behavior is to call authorize() you are going to have to trick it into returning a positive response.

    Your plugin should be triggered by onAfterInitialise and you should manipulate JUser. When you call authorize() the functions needs a user id which it gets from the JUser object and the getuser() function. All you need to do is create a user with the permissions you want, then have the plugin set the user ID so that authorize() returns true.

    • 0