Verficiation before loading page

[eluser]garrettheel[/eluser]
Before loading any pages in the admin controller, I want to verify that the user is supposed to have access to the page. Now, rather then use a bunch of if statements in every single admin function, I would rather do something in the constructor and have it apply to all of the functions. Just wondering what the best way to do this would be? E.g

Code:

function __construct()
{
    if ($something == TRUE)
    {
        redirect('some/error/page');
    }

}

Would this be the most secure and best way to do it? I don't want there to be any glimpses of the page or anything. Thanks

[eluser]xwero[/eluser]
use a hook

[eluser]garrettheel[/eluser]
Is this the best way? I didn't want to make it too complicated and I only wanted it on certain controllers. And can you give me an example of how to use it?

[eluser]hugle[/eluser]
[quote author="xwero" date="1228924041"]use a hook[/quote]

hello xwero.

Could you explain a bit, how the hook is used in this situation?

Thanks

[eluser]xwero[/eluser]

Code:

function access_allowed()
{
    $controllers = array('crtl1','ctrl2'); // you can move this to the hooks.php params key for more flexibility
    $CI =& get_instance();
    $CI->load->helper('url'); // to be on the safe side
    // check if the controller is protected
    if(in_array($CI->uri->rsegment(1),$controllers))
    {
        // do some more checking
        if ($something == FALSE)
        {
             redirect('some/error/page');
        }
    }
}

Call this function in a post_controller_hook

[eluser]garrettheel[/eluser]
Ooh I see what you mean. Just wondering though, does this function have to be in a /hooks folder? And I'm assuming using the redirect here is perfectly secure?

Also, I need to have access to one of my models. What should the class be called and should it extend anything?

[eluser]xwero[/eluser]
you can put the function everywhere, see the hooks page on the user guide, but the default directory is hooks.

I never knew redirect to be insecure as it's a function where you control all parameters. It's insecure if you don't validate the segments that depend on the user input.

Just load your model like i loaded the url helper and create a method for authentication.

[eluser]garrettheel[/eluser]
So it's not working.. it's letting anyone view the page regardless and, when I try to var_dump() anything it doesn't display.

hooks/access.php

Code:

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Access {

    function verify_access()
    {
        $CI =& get_instance();
        $CI->load->helper('url'); // to be on the safe side

        if($CI->uri->rsegment(1) == 'admin') // Check if the controller admin is being called.
        {
            $CI->load->model('User_model');
            
            if (!$CI->User_model->verify_group(10)):
                // $this->session->set_flashdata('error', 'You do not have permission to view this page.');
                redirect('');
            endif;
        }
    }
}

?>

config/hooks.php

Code:

$hook['pre_controller'] = array(
                                'class'    => 'Verify',
                                'function' => 'verify_access',
                                'filename' => 'access.php',
                                'filepath' => 'hooks',
                                'params'   => array()
                                );

[eluser]xwero[/eluser]
It has to be a post_controller_contstuctor hook, i was a bit to fast the first time, i'm sorry. Because then you can access the normal controller methods.

[eluser]garrettheel[/eluser]
Scratch that, didn't have hooks turned on in the config (oops).

Now I have a new error, it's to do with the the $CI global you used.
Fatal error: Call to a member function helper() on a non-object in /ci/system/application/hooks/access.php on line 8

Line 8 is $CI->load->helper('url');

So I think there's a problem getting the CI object?