Login

lazcorp · 12-29-2023, 05:31 AM

Yesterday I started adding Shield 1.0.0 to my CodeIgniter site, and made a surprising amount of progress in day 1 (so kudos to the team that developed it!)
My aim is to create a CMS for my website. I'm currently protecting individual routes using Shield's built-in filter at the end of the route statement, like this:

PHP Code:
$routes->get('/url/to/edit/blogpost/page', [AdminBlogController::class, 'edit'], ['as' => 'admin-edit-blogpost', 'filter' => 'session:admin.access']); 

This works (a non-logged in user can't access the page, a user logged in with the appropriate permissions can), but I have a couple of follow-up questions to any more experienced Shield developers:

1. Should I also be checking user permissions at other stages (e.g. in the controller's method e.g. in the 'edit' method of AdminBlogController) to employ a "defence in depth" approach?, and
2. If the answer to the above is "yes", how do I check the user's permissions in the controller?