CodeIgniter Forums

Full Version: How to protect admin pages?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
So I read the tutorial and tried to convert an HTML blog template to CI and it seems like it is a more or less straightforward process.

Now if I want to create admin pages where you can post and manage blog entries, how do I protect admin pages?

So when people try to access a page it should check if they are logged in and if not they will be redirected to the login page. How does this checking happen?
(03-14-2015, 04:40 PM)lexxtoronto Wrote: [ -> ]So when people try to access a page it should check if they are logged in and if not they will be redirected to the login page. How does this checking happen?

One way to do that is to put the checking code in the controller's constructor. For example, in an application I am building, I only require that people be logged in. So in every controller's constructor, I put code to check for that. Like this.
PHP Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class 
Gifts extends CI_Controller {

 
 public function __construct()
 
 {
 
   parent::__construct();
 
   $this->load->helper ('url');
 
   if ( ! $this->session->userdata('user_id'))
 
   {
 
     redirect('user/login');
 
     exit;
 
   }
 
   $this->load->helper ('form');
 
   $this->load->library ('form_validation');
 
   $this->load->library ('table');
 
   $this->load->model('gifts_model');
 
   $this->load->model('glist_model');
 
 

I load the URL helper because I need it for the possible redirect. Then I check to see if the session has a 'user_id,' indicating a logged-in user. If not, I redirect to the login page and exit. Otherwise, if the user is logged in, I continue to load the rest of my helpers, libraries, and models.

I hope that helps. Smile
Awesome, thank you! That makes sense.

But only those controllers that will display admin pages should check if the user is logged in, and no need for those controllers that simply display blog entries. I mean I should have separate controllers, right?
(03-14-2015, 06:39 PM)lexxtoronto Wrote: [ -> ]But only those controllers that will display admin pages should check if the user is logged in, and no need for those controllers that simply display blog entries. I mean I should have separate controllers, right?

You're welcome! You can make your checks as complex as you want and you don't necessarily need separate controllers if they do basically the same thing. You can develop a system of permissions, where different kinds of users can do different things.

But if you're going to go for levels of permissions, you might as well look into existing libraries that handle authentication, like "flexi auth." Otherwise, do as you say, and only check where necessary. 
Sweet, thank you!