Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming User privileges good-practice?
User privileges good-practice?
  • El Forum
    Guest
  •  
#1
03-15-2012, 07:31 AM

[eluser]Madtrooper[/eluser]
Hey guys!

I'm new to using Codeigniter, or any other PHP framework.

I've been using it for 2 weeks now and I love it!

As I'm still learning (and eager doing so) I have a questiong.

Right now I have a simple user registration/login with some basic session management so that when a user logs in, some functions check whether the username/password combination exists in the database. If so, a session will be created including data like username and access_level (admin or user):

http://pastie.org/3601311

Now, is it safe and secure to just determine whether a user is admin or normal user at login only, and save this in the session? So that every time a user tries to access a admin-only page, the default contructor (for instance) checks the session variable access_level?:
http://pastie.org/3601315

Or would it be better to check the database every time for this information?

I did configure codeigniter to save the sessions in the database.

I'm wondering what's considered good-practice for this kind of session management & access level verification?

Thanks in advance!
  • El Forum
    Guest
  •  
#2
03-15-2012, 09:30 AM

[eluser]oliur[/eluser]
In one of my previous project I used auth library. So once user successfully logs in I read the user specific values from the database (including their role permission settings) and save it in codeigniter config global variable.

So it looks something like this:

Code:
public function __construct(){
  parent::__construct();

// check if user has successfully logged in.
$this->user_data['is_logged_in'] = $this->auth->logged_in();
  
  # IF USER IS LOGGED IN
  if($this->user_data['is_logged_in']){
   $this->user_data['user_session'] = $this->auth->get_user_session();
   $this->user_data['user_id'] = $this->auth->get_user_id();
   $this->user_data['user_fname'] = $this->auth->get_user_name();
   $this->user_data['user_role_id'] = $this->auth->get_user_role_id();
  
   # HOLD ALL PERMISSION DETAILS FOR LOGGED-IN USER
   $this->user_data['user_permission'] = $this->auth->get_user_permission();
  
   # SET USER DETAILS TO GLOBAL CONFIG VARIABLE FOR EASY RETRIEVAL ELSEWHERE IN THE APPLICAITON.
  
   $this->config->set_item('user_data',$this->user_data);
// build links based on user permission  
$this->config->set_item('user_action_links',build_action_link());
}

Then in your view you could do something like this

Code:
// read config values
$user_data = $this->config->item('user_data');

foreach($user_data as $data){
// do whatever you want to do
}

You can read more about the
Config class here




Theme © iAndrew 2016 - Forum software by © MyBB