| Best Practice Question |
[eluser]Jesse Schutt[/eluser]
Hello All, I have a question regarding the "better" way to implement a privilege check for a logged in administrator. Let me explain... I have an admin area that is protected via a login and password. I also have built a permission/privilege system that can be applied to individual administrators (with great help from Michael Wales). Now I am trying to protect certain pages from administrators once they are already logged in to the system. Here is where my question comes up. Should I assign the different privileges to the user session upon login, or should I write a function that queries the DB everytime a user tries to access a specific section of the admin area? Thanks for your thoughts! Jesse
[eluser]dpgtfc[/eluser]
On the application I have set up, It stores all the groups a user belongs to in session data when they log in (or the permissions levels are changed). Personally I try and minimize DB calls, just for scalability if anything else.
[eluser]Jesse Schutt[/eluser]
Thanks for the response! What if I don't have to be concerned about scalability? I am working on an intranet program that isn't going to have to serve more than 100 people. Jesse
[eluser]dpgtfc[/eluser]
Then I would do what is best for how you have your application set up. If it is a hassle dealing with session data, do a check on every page load. I'm not personally aware of any best practices when it comes to that (other than worrying about security or scalability). I'm not the authority on that though, so perhaps somebody will come in and prove me wrong. 
[eluser]Jesse Schutt[/eluser]
I have never done this before, so I am asking how people do it on their apps. Session data is not a problem, nor is checking it against the db. Just asking for opinions :-)
[eluser]@li[/eluser]
I don't like to complicate things, so what I do is just have a field in my 'users' table called 'lvl' with certain levels starting from 1-3 (I haven't needed to have more than 3 levels for any site i've done yet). Then whenever someone logs in, I store the 'lvl' field along with their first name, etc in the session (I use database sessions so I can store as much info as I need in the session). Then, in my authorization class I have a function called 'Restrict' which takes a numerical level, compares it with the lvl stored in session, and if a user isn't logged in or his level is less than the level passed on, it redirects them to the login page or an 'unauthorized' page. Here's some example code: Code: <?phpIf you try to go to http://mysite.com/admin and you are only a registered member (hence lvl 1) it redirects you back to http://mysite.com/members , and if you're not logged in it redirects you to http://mysite.com/login
[eluser]@li[/eluser]
Here's the restrict function mentioned above in case it helps: Code: function restrict($minLevel)Its a bit outdated obviously, I wrote it before I started using CI hence its still using header('location') to redirect  . But,it does the job for now.
[eluser]sl3dg3hamm3r[/eluser]
IMHO I wouldn't fire a DB-query on each page-loading, which would result in storing the rights in a session. I would ask myself what would be the advantage of a DB-query on each page-loading? The only thing I can think of is the immediate effect in case of a change in the user's role. The user wouldn't need to re-login. If the roles would change often (for whatever reason), a DB-check might make sense. Otherwise I would skip it and store it in the session. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
