+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: SHIELD - Protecting Pages (/showthread.php?tid=89061)
SHIELD - Protecting Pages - lazcorp - 12-29-2023
Yesterday I started adding Shield 1.0.0 to my CodeIgniter site, and made a surprising amount of progress in day 1 (so kudos to the team that developed it!)
My aim is to create a CMS for my website. I'm currently protecting individual routes using Shield's built-in filter at the end of the route statement, like this:
PHP Code:
$routes->get('/url/to/edit/blogpost/page', [AdminBlogController::class, 'edit'], ['as' => 'admin-edit-blogpost', 'filter' => 'session:admin.access']);
This works (a non-logged in user can't access the page, a user logged in with the appropriate permissions can), but I have a couple of follow-up questions to any more experienced Shield developers:
1. Should I also be checking user permissions at other stages (e.g. in the controller's method e.g. in the 'edit' method of AdminBlogController) to employ a "defence in depth" approach?, and
2. If the answer to the above is "yes", how do I check the user's permissions in the controller?
RE: SHIELD - Protecting Pages - InsiteFX - 12-30-2023
Shield User Guide - Using Authorization - Check If a User Has Permission
RE: SHIELD - Protecting Pages - lazcorp - 12-30-2023
Thank you - I'd missed that bit of the docs!