Public methods in system/Controller

[MGatner]

I noticed that a number of methods in system/Controller.php are public (initController, forceHTTPS, cachePage, validate). I'm not sure if they need to be for internal purposes, but this makes them routable endpoints on any controller. E.g. https://example.com/home/cachePage/1, or https://example.com/home/initController. This should definitely be addressed as it is borderline a security issue - let me know if you want help with that.

[lonnieezell]

Good catch.

initController has to be public but the others should be protected. If you have time to do a PR that would be awesome. I'm just now getting to a place where I can start catching up again.

[MGatner]

I can make a PR.
Would adding a 404 route (similar to https://github.com/MGatner/CodeIgniter4/blob/basecontroller/system/Config/Routes.php#L55) for initController be appropriate?

[lonnieezell]

I think so, yes.

[atishhamte]

I guess this is merged. Please close