Login

02-25-2010, 04:17 AM

[eluser]bugboy[/eluser]
I've modified the restserver to allow me to get the id of the logged in user so i can perform user specific task and also block off tasks so user can't edit/destroy another users data (eg profile).

I'm not sure if this is the safest or the right way to do this. Below is the modifed bits of the rest_controller. Is there a better safer way of doing this?

Code:
class REST_Controller extends Controller

{

    // Set this in a controller to use a default format

    protected $rest_format = NULL;

    private $_method;

    private $_format;

    private $_get_args = array();

    private $_put_args = array();

    private $_delete_args = array();

    private $_args = array();

    /**

|added in for user store

**/

    private $_user_id;

Create a function to get the id of the logged in user

Code:
// INPUT FUNCTION --------------------------------------------------------------

      public function user_id()

    {

        return $this->_user_id;

    }

user login in function. Please note that I'm just running a quick test thats why i'm getting a direct user

Code:
// SECURITY FUNCTIONS ---------------------------------------------------------

    private function _check_login($secret = '', $api_key = NULL)

    {

        if(empty($secret))

        {

            return FALSE;

        }

        $valid_logins =& $this->config->item('rest_valid_logins');

                // using a new array function, this will be replaced with a database call

        if($valid_logins[0]['username'] !== $secret)

        {

            return FALSE;

        }

        // If actually NULL (not empty string) then do not check it

        if($api_key !== NULL)

        {

            if($valid_logins[0]['password'] != $api_key)

            {

                return FALSE;

            }

        }

        // set the user key

        $this->_user_id = $valid_logins[0]['id'];

        return TRUE;

    }

unset if not vaild

Code:
if ($digest['response'] != $valid_response)

        {

            $this->_user_id = NULL;

            header('HTTP/1.0 401 Unauthorized');

            header('HTTP/1.1 401 Unauthorized');

            exit;

        }

config array amended to take more data. Please not that this is just temporary and that all these will be stored in a database

Code:
/*

|--------------------------------------------------------------------------

| REST Login usernames

|--------------------------------------------------------------------------

|

| Array of usernames and passwords for login

|

|    array('admin' => '1234')

|

*/

//$config['rest_valid_logins'] = array('admin' => '1234');

$config['rest_valid_logins'] = array(

    array(

    'id' => 1,

    'username' => 'admin',

    'password' => '1234'

    )

);

This is just a test call and would be open to the public but gives me a indication it works.

Code:
function check_get()

    {

        // user check maybe unstable and not great

        $id = $this->user_id();

        $data = array('id' => $id);

        $this->response($data, 200); // 200 being the HTTP response code

    }

Now this works but i'm completely unsure if its the best way to go about it.

I hope this makes sense.

Any suggestions, advice or crit's welcome as i'm completely new and willing to learn more on this subject.

Thanks in advance.