[eluser]sandwormusmc[/eluser]
Local Roles Model (used to check if the currently logged in user has priveleges to run the PHP function being called):
Code:
<?php
/*
Originally coded by Charlie Dumont for Detroit Public Schools - Summer 2007
Modified and completed for Detroit Public Schools by Matt Moldvan - Fall 2007
*/
class LocalRoles_Model extends Model {
function Localroles_model() {
parent::Model();
}
function get_NameByUserID($User_id) {
$result = $this->db->query("SELECT userLDAP FROM Users WHERE User_id=$User_id LIMIT 1");
if ($result->num_rows()) {
$row = $result->row();
$userLDAP = $row->userLDAP;
return $userLDAP;
}
}
function get_UserIDByName($username) {
$result = $this->db->query("SELECT User_id FROM Users WHERE userLDAP='$username' LIMIT 1");
if ($result->num_rows()) {
$row = $result->row();
$User_id = $row->User_id;
return $User_id;
}
}
function getUserRoleByUserName($username) {
$role = 0;
$results = $this->db->query("SELECT Role_id FROM Users WHERE userLDAP='$username'");
if ($results->num_rows() > 0) {
$temp = $results->row(0);
$role = $temp->Role_id;
}
return $role;
}
function getFunctionIdByName($functionName) {
$result = $this->db->query("SELECT Function_id FROM Functions WHERE FunctionName='$functionName'");
if ($result->num_rows() > 0) {
$temp = $result->row(0);
return $temp->Function_id;
} else {
return;
}
}
function getPermissionsByFunctionAndRole($functionID, $roleID) {
// echo "<br/> FunctionID: $functionID, RoleID:$roleID";
$result = $this->db->query("SELECT isAllowed FROM FunctionsToRoles WHERE Role_id='$roleID' AND Function_id='$functionID'");
if ($result->num_rows() > 0) {
$temp = $result->row(0);
return $temp->isAllowed;
} else {
return;
}
}
}
?>
Roles library:
Code:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/*
Originally coded by Charlie Dumont for Detroit Public Schools - Summer 2007
Modified and completed for Detroit Public Schools by Matt Moldvan - Fall 2007
*/
class Roles {
var $CI;
var $params;
var $rolesModel;
function Roles($params) {
$this->params = $params;
$this->CI =& get_instance();
$roleLoc = $this->params['RolesType'] . "_model";
$this->CI->load->model($roleLoc , '', TRUE);
$this->rolesModel =& $this->CI->$roleLoc;
}
function getUserRole($username) {
return $this->rolesModel->getUserRoleByUserName($username);
}
function checkRoleAgainstAction($action, $role) {
// echo "<br/>$action and RoleID:$role";
$functionID = $this->rolesModel->getFunctionIdByName($action);
// echo "<br/> FunctionID: $functionID";
// Need to check functionID for a null and throw an error message
if ($functionID == '') { $this->_showImproperlyConfiguredRole($action); }
//check function id against role for isAllowed
$isAllowed = $this->rolesModel->getPermissionsByFunctionAndRole($functionID, $role);
// echo "<br/>$isAllowed :P";
if ($isAllowed) { return 1; }
else { $this->_showInsufficientRights(); }
}
function _showInsufficientRights() {
$this->_exitWithError("Insufficient Rights");
}
function _showImproperlyConfiguredRole($action) {
$this->_exitWithError("$action is not properly configured in the permissions systems");
}
function _exitWithError($errorString) {
$data['error'] = $errorString;
$data['header'] = $this->CI->load->view($this->params['AppName'] . '_header', '', true);
$data['footer'] = $this->CI->load->view($this->params['AppName'] . '_footer', '', true);
$this->CI->load->vars($data);
$this->CI->load->view("improperPermissions.php");
$string = $this->CI->output->get_output();
$this->CI->output->set_output($string);
exit($string);
}
}
?>
So basically, each function being called (CI function) is checked by debug_backtrace(), then the return value from that is checked against a database table that has a list of all user roles and the privileges they have.
There should be 3 tables: Roles (role_id, role_name), Functions (function_id, function_name), and RolesToFunctions (role_id,function_id,isAllowed[enum 0 or 1]). In the table you're using to track your users, you would insert their role_id, then make the corresponding entries in the related tables.
Hope that helps, even though it is pretty complex ... let me know what you think.
If nothing else, it can at least spur some discussion and get you thinking.
