Writing Admin/User/Public controllers to insure authentication

Hi Everyone,

Been a while since I logged into the now moved codeigniter forums, hope the new owners take care of our codeigniter

I have several sites using codeigniter 2.2.0 all upgraded gradually from 1.x.x something, I think it was and I noticed the ops question about separating out say an admin section and a public section, in my case, I had this same problem, and after trawling through various forums, stack overflow and watching numerous videos, I came up with a sort of combination of everything which I crystallised(yes I know, it's not a typo, I am from the UK) down to a few basic concepts, I use a MY_Controller which I have located in my /application/core/ directory where I set a few basic parameters and then use a Frontend_Controller and a Backend_Controller both located in my /application/libraries/ directory, the Frontend_Controller is used for anything public facing, and the Backend_Controller is used for anything that requires some kind of authentication e.g. Admin, Members, etc, and this is where I handle logging in and authentication using Ion_Auth or something similar, both the Frontend and Backend Controller extends MY_Controller, which in turn extends CI_Controller, I find that this approach nicely segregates out delicate information from public information, so, from here any other controllers for my sites either extends from Frontend_Controller for say public site pages, or Backend_Controller for admin, registration, members, utility type pages.

Oh, and to avoid all those pesky include or require statements, I use a pre-loader of sorts to load the MY_xxx, Frontend and Backend Controllers into my application which I have appended to my /application/config/config.php file.

-------------------------------------------------------------------------------------------------------------------------------------------
As an aside I recently updated my PHP version to 5.6.3 which has thrown up an unusual PHP notice problem related to /system/core/Common.php on line 257 it produces the error message:-

A PHP Error was encountered

Severity: Notice

Message: Only variable references should be returned by reference

Filename: core/Common.php

Line Number: 257

It took me a while to find a solution for this and thanks to a post on the old archived codeigniter forums back at ellis labs
I was able to solve the problem by changing line 257 from:-

PHP Code:

return $_config[0] =& $config; 


to:-

PHP Code:

$_config[0] =& $config;
return $_config[0]; 


I hope that this may help anyone else that has come across the same problem, I personally hate to hack the codeigniter system code but was not able to override it in the normal way using a similar named file in my /application/core/ directory any ideas about that would be greatly appreciated.
-------------------------------------------------------------------------------------------------------------------------------------------
Mods if you feel that this part of my post should be moved to its own thread as it does not directly relate to the ops question please feel free to do so

Edit... It seems that this particular PHP Notice issue has been fixed in CodeIgniter 2.2.1

edjon2000.

Going back to the original question...

Recap:

sneakyimp wrote: "Also, I'm wondering if using hooks as described in the article is in fact the recommended way to go."

Avenir wrote: "Well... If you are talking about best practices, the best practice would be to have only a MY_Controller"

My opinion. Avenir is totally right.

Why? Simple: There is no need to use hooks. With hooks you can 'tap into' the inner workings of the framework. Why would you?
You would if you need something to be done before you call your own controller logic (My_Controller). Well you simply don't need to do that!
The controller is responsible for loading the right model and view. If a user needs authorization to access a view, YOUR controller has to arrange that. That can be done perfectly after the base controller code was executed. Because you want it to be arranged for every view (a user is authorized or not to view it), you make it part of your own base controller (My_Controller).

Do you need multiple controllers to arrange this? No of course not. Your controller uses a class with authorization/authentication logic, and this class tells the controller the user can view the page or not. It is that simple. I really do not understand the whole discussion about hooks, multiple controllers, autoload mechanisms, Composer etcetra.

And why have a front-end controller and a back-end controller? How do they differ?
Why not ALWAYS use authorization and authentication. If u user is not specifically granted access, he does NOT have access. This is a well known security rule/ best practice.

My €0.02. Keep things simple.

Hi RWCH,

And why have a front-end controller and a back-end controller? How do they differ?
Why not ALWAYS use authorization and authentication. If u user is not specifically granted access, he does NOT have access. This is a well known security rule/ best practice.

In answer to this question, it's just the way that works for me, the sites I have been developing recently have a number of site pages (which are public) e.g. home, contact us, about, etc the usual, and have a full-blown administration back-end where changes can be made by authorised members of staff such as adding or removing services, offers, news, training or editing certain public sections, in this case, I wanted to keep the public on the one hand  and the authorization, admin routines on the other completely separate.

In my frontend controller I set up variables that are common to all public pages and are therefore accessible by each pages controller, whereas, my backend controller sets up variables that are common to all admin pages and contains the authorisation logic in its constructor, I use the MY_controller for loading various libraries, helpers and variables that are common to both.

As the sites grow e.g. adding additional user groups I feel that this arrangement makes it easier to extend or add functionality on an as-needed basis.

I'm not saying this is the only way, it's just a way that works for me

edjon2000

edjon2000 Thank you very much. I had the same problem in core, common line 257