(01-21-2021, 08:13 PM)iRedds Wrote: Even if there is a return operator in the class constructor, it will not return anything.
No return is expected when the initController method is called.
In my humble opinion you need to use filters. If you cannot use the code that you use in the controller in filters, then your application has design problems.
But if you really need to redirect from the class constructor, you can throw an exception
PHP Code:
throw new RedirectException('urlToRedirect');
Thank you for the RedirectException suggestion. Sadly, that doesn't seem to allow one to specify an HTTP response code. It defaults to 302.
Are filters powerful? YES.
Are filters a potent, flexible tool to filter requests and responses? YES.
Are filters "clean" as the
kilishan suggests? NO.
I'll elaborate:
That a filter is even running is in no way evident in a controller's source code. Filters might do anything at all and you'd have no idea one would run by looking at the controller. You'd have to examine the app/config/filters.php file, mentally parse its contents, and examine any relevant filter files. You can't shift-click or hit F3 in the controller and instantly navigate to any filters applied to it.
One of the very best features of CodeIgniter is its intuitive mapping between website url paths and the file path of the controller PHP file. Looking at some site url, you can usually find the controller that handles it quickly just by looking in the app\Controllers directory. I'm not a fan of frameworks where one must define routes for every controller or url. I vaguely recall Laravel having this problem. Such centralized files cause trouble when you have multiple developers working. Most of your merge conflicts appear in such files. The filter config file has the same problem. If any developer wants to even apply an existing filter to a new controller, they may have to make changes to the site-wide filter file. These files become bottlenecks.
The structure of the filter config file is peculiar and not intuitive and the requirement that you define aliases and assign them through fairly messy array notation means you have a bunch of string literals, which are not error-checked by your IDE and which are vulnerable to typos. E.g., I might accidentally type 'honyepot' and the IDE wouldn't blink an eye. I might mistype the url to which a filter applies. Or I might fail to notice an 'except' rule which overrides my filter rules. Either of these mistakes could expose some vital controller method to mischief.
Is there some order of precedence that applies? Presumably $globals is processed first, then $methods, then $filters. If I somehow specify a filter in two of these arrays, it can be applied more than once, introducing performance issues and also possibly data corruption if values get translated then translated again.
Additionally, one must also maintain mental strong focus to make sure the rules do what you want them to do. Are my wildcards correct? Did I accidentally overrule my first filter with an
except somewhere? What about the return values of the filters themselves? If I return a nonzero value in any of them then all the later filters will not be executed. UNLESS the value returned is either a Response or Request object. The way filters allow return values of empty/non empty/Response/Request is certainly permitted in reflective programming, but IMHO it's rather an abuse of PHP's flexibility and runs counter to the trend toward type hinting and stronger typing.
There are also security concerns with filters. If, for example I establish some vital adminRole alias in my filters and apply it to one controller method like so:
PHP Code:
public $filters = [
'foo' => ['before' => ['mycontroller/foo-bar']],
];
this definitely runs the filter if I visit this url:
/mycontroller/foo-bar
but the filter doesn't run if i visit these:
/mycontroller/foo-bar/parameter
/mycontroller/foo_bar
I can apply the filter to both of those latter urls with a different rule:
PHP Code:
public $filters = [
'foo' => ['before' => ['jtest/foo.bar']],
];
however, this complication is not mentioned at all in the documentation, and is likely to result in security vulnerabilities for inexperienced users, much like SQL injection has been a problem for decades.
Given all these considerations, especiall the last one regarding pattern matching, I don't think filters should be considered a 'best practice' for authentication. IMHO, extending the BaseController with some role-checking and simple logic to prevent code form executing has numerous advantages. I also think it's entirely reasonable that a Controller's __construct or initController might want to redirect the request -- they are controllers, after all.
I can easily add a redirect function to my own BaseController, but I think it would be really nice to augment the CodeIgniter\Controller to include a protected method redirect that mimics the old CI3 redirect functionality. I can easily do this myself in my own BaseController, but I think it'd be a convenient feature all around and would ease CI3-to-CI4 migrations like the one I'm currently working on.
I welcome any thoughts others may have.
