Copy link to clipboard
Copied
Hello, all,
I'm trying to set up our projects so that the components folder will not be inside webroot, primarily due to bots attempting to spider our site and generating error emails every time they get to our components folder.
One thing that I've noticed (and it makes sense) is that application variables are not available to the components when the components are not in webroot. For example, I have a CFTRY/CFCATCH set up in a function that will email the error information to us. The "to" attribute is set to "application.errorEmail" which is set to my email address in application.cfc, but the components outside webroot can't get application.errorEmail.
Will I have to manually set application variables in the components in order to keep them out of webroot? Or is there a simpler way to get the application variables to the components?
V/r,
^ _ ^
Copy link to clipboard
Copied
In my opinion, it is generally poor design to set an application variable in a component. That is because it increases coupling.
You could improve the design by passing any application variables to the component. Something like this,
<cfcomponent >
<cfset variables.appVar = "">
<!--- Call init when creating object instances, ensuring each will have a copy of appVar --->
<cffunction name="init" returntype="any">
<cfargument name="appVar">
<cfset variables.appVar = arguments.appVar>
<cfreturn this>
</cffunction>
</cfcomponent>
Copy link to clipboard
Copied
Hi, BKBK,
There are too many application variables for me to pass all of them to each component. And this is being accessed via AJaX for a form submit. Some of the application variables are email addresses, some are DSN names. I'm not sure I feel 'secure' sending that information via AJaX.
I guess what I was hoping for would be for a way to either CFINCLUDE the root application.cfc, or somehow extend the root application.cfc into the out-of-webroot components folder. Are you aware of any way to do either?
V/r,
^ _ ^
Copy link to clipboard
Copied
WolfShade wrote
There are too many application variables for me to pass all of them to each component.
Then you could pass just one variable, the application scope. That is, the structure.
And this is being accessed via AJaX for a form submit. Some of the application variables are email addresses, some are DSN names. I'm not sure I feel 'secure' sending that information via AJaX.
AJAX? I was only thinking of an init() to instantiate the component object. I am assuming that your application accesses the component via a mapping that you have created to point to the CFC folder.
Copy link to clipboard
Copied
I'm using CFAJAXPROXY to bring the CFCs into JavaScript.
<cfajaxproxy cfc="components.ERC" jsclassname="ERC" />
...
<script>
var thisComponent = new ERC();
var postData = $('#' + formObjId).serializeArray();
function displayResult(res){ ... }
function displayFailed(res){ ... }
thisComponent.setHTTPMethod('POST');
thisComponent.setCallbackHandler(displayResult);
thisComponent.setErrorHandler(displayFailed);
thisComponent.dtsSurvey(formArray=postData);
</script>
But with the CFCs existing outside of the application, application variables are broken. #application.errorEmail# doesn't exist for the CFTRY/CFCATCH emails when something breaks.
I'll give a shot at passing the application scope. Hadn't considered that.
The mapping of the component folder is in Application.cfc:
<cfset this.mappings['/components'] = ReplaceNoCase(ExpandPath('.'),'{a lot of regex}/components') />
V/r,
^ _ ^
Copy link to clipboard
Copied
Something got me wondering.
WolfShade wrote
I'm trying to set up our projects so that the components folder will not be inside webroot, primarily due to bots attempting to spider our site and generating error emails every time they get to our components folder.
You could just configure your Robots.txt file to prevent bots from crawling parts of your website.
Copy link to clipboard
Copied
Reputable search engines will comply with robots.txt. Sadly, not all search engines are reputable. That would stop maybe 10% of all the bots on the internet. There are many who completely ignore robots.txt.
Also, Robots.txt will not stop users from trying to spider and find the components folder and access them directly. Only placing the components folder outside of the webroot will prevent direct unauthorized access to the functions.
V/r,
^ _ ^