Welcome Guest, Not a member yet? Register   Sign In
"Best" way to restrict users from certain pages.
#1

[eluser]Bramme[/eluser]
Hello all

I'm working on a personal Auth library for my future projects and one of the features are user restrictions: some users can only access some pages, while others may access all. Because I want an administrator to be able to restrict users, I use the following system:

I enter all pages of my auth system manually to a table in the database (this works fine for now, as the number of pages remains limited). This table is also used to create the navigation for the website. This table has 6 fields (id, title, url, description, parent_url (if it's a subnav item) and order).

Then I have a users_restrictions table. This has 3 fields: id, users_id, pages_id. This table stores what pages a certain user isn't allowed to see.

Now this works perfectly fine, but it feels kinda clunky. Especially the manual adding of pages. Does somebody have some kind of idea how I could replace the manual adding with something more automatic?
#2

[eluser]xwero[/eluser]
A roles system is easier to use for an administrator. This way you can create groups of users with the same privileges and if a user needs a custom fit role the admin is still able to create it.

You have two ways of storing the data. You can have a config file per controller where the admin adds, with or without the help of an interface, the roles to for the controller in general or per method.
The other way is to store the privileges in a database, like you did, but with the roles the admin doesn't have to add the privilege for each page.
#3

[eluser]Bramme[/eluser]
I figured roles were easier to use earlier, but didn't because the current app will only be used by max 5 people, I would adjust the auth system in the future to use roles, like you suggested.

Could you give me a crude code example of how things would work when using a config file per controller? Because I'm using a config file per controller allready, but I don't see how to implement roles in the controller yet.
#4

[eluser]xwero[/eluser]
I was thinking
Code:
// all controller methods are public
$config['access'] = array();
// restricted access
$config['access'] = array('method1'=> array('john','jane'));
The access check would be something like
Code:
$access_array = $this->config->item('access');
// empty array every method in controller is accessible
if(count($access_array) == 0)
{
   return;
}
// if the method is in the access array and the user has access to the method method gets shown
if(in_array($this->uri->rsegment(2),array_keys($access_array)) && in_array($this->session->userdata('username'),$access_array[$this->uri->rsegment(2)]))
{
   return;
}
// if the checks are false it's a restricted method
redirect('login');
#5

[eluser]TheFuzzy0ne[/eluser]
Shock collars. If they go somewhere they shouldn't - Dzzzzzzzzzzzzz! Big Grin
#6

[eluser]slowgary[/eluser]
I'd say you're always going to have to add pages manually. If there's a frontend for creating pages, it should provide a list of checkboxes with each user (ideally each group) to allow access to the page.

Technically, pages are added automatically... they just default to "ALLOW ALL".




Theme © iAndrew 2016 - Forum software by © MyBB