Community Auth verify_min_level logging users out? |
I see in the source that verify_min_level() calls authentication->check_login() which clears the session vars if the minlevel is not reached.
Is this intended behaviour? Because right now I have a use-case whereby some additional content is displayed at say minlevel 6, on a protected page where lower level users can still see the rest of the content. but doing verify_min_level logs all lower level users out as a result
Yes, use the lowest level that is allowed to access the page. If login is not required at all and you're just trying to verify if anyone is logged in, then use $this->is_logged_in(); at the top of your controller method.
After that, use your ability to access the auth variables to determine who is/not logged in and what to show them. Docs: http://community-auth.com/documentation/...rification Show some code too, unless I've answered your question already. While it is implied that "login is just verified" when you use the verify_ methods, the main difference between the verify_ methods and the require_ methods is that the require_ methods will redirect you to the login page if the user doesn't meet the requirements for being on the current page, while the verify_ methods will not redirect. Most of the time, if you're using the verify_ methods, it'll be because you just want to know if somebody is logged in, and in that case you're using $this->is_logged_in(), which is an alias for $this->verify_min_level(1); In that case, you're either logged in or your not, so nobody is ever going to get automatically logged out. Your post brings about an interesting question though. Why does a user get logged out if they don't have a user level that is high enough to pass verification? Besides just being "the way it is", the check_login method is sort of a dual purpose method, and is checking if a user is logged in for required_ pages too. If somebody just happens to stumble upon a page they are not supposed to be on, my thinking is that we log them out. Why and how did they get there anyway, right? So as you build your menus, and add links and sections to your website, you'll want to make sure that users only see what they are allowed to see. For instance, a customer never sees an admin's list of customer orders, so it would make sense that the customer would never see the link to that page either. Honestly, I never use the verify_ methods except for with user level 1. I suppose there could be a use case where you just want to make sure an employee of any level was on the page, but you didn't want them to be redirected to the login form because you were perhaps going to redirect somewhere else if they were or were not logged in. That's about the only reason I can think of to use the verify_ methods without 1 as the param. Another reason to use the verify_ methods might be that you have them in methods that are accessed only by AJAX, and if the person sending the AJAX request is not logged in you want to send them back a custom message instead of having Community Auth try to serve them up the default login form (which wouldn't work because it's an AJAX response). The flexibility is there, I guess it just takes some time to really think about what it is that you need, and how Community Auth can best handle it. If you can describe your use case a little more, perhaps I can suggest something for you. (05-23-2016, 12:32 AM)skunkbad Wrote: Yes, use the lowest level that is allowed to access the page. If login is not required at all and you're just trying to verify if anyone is logged in, then use $this->is_logged_in(); at the top of your controller method. Thank you for the quick reply. To clarify, login is required for the entire page, but some sub-content will require higher privileges. The following is a small modification of the Examples->simple_verification() method: PHP Code: public function simple_verification() After logging in and visiting the page for the first time, the correct behaviour ("Hiding admin level content" shown along with the rest of the auth information). However, visiting the page again will show that the user is no longer logged in. Should I avoid calling verify_min_level() if I do not wish to log the user out, and instead just check ($this->auth_level >= 10) instead? Thanks!
OK, now I see the problem, and this is something others have done too. You should only be using one of the auth methods per request, and in your code you are using two. By auth methods, I mean:
For instance, in controllers if you want to know the user level (now called auth level): Code: if( $this->auth_level >= 10 ) In a view, you would use: Code: if( isset( $auth_level ) && $auth_level >= 10 ) and if you are in any place where you don't have access to those, like a model: Code: if( config_item('auth_level') >= 10 ) |
Welcome Guest, Not a member yet? Register Sign In |