Welcome Guest, Not a member yet? Register   Sign In
Community Auth verify_min_level logging users out?
#1

I see in the source that verify_min_level() calls authentication->check_login() which clears the session vars if the minlevel is not reached.

Is this intended behaviour? Because right now I have a use-case whereby some additional content is displayed at say minlevel 6, on a protected page where lower level users can still see the rest of the content.

but doing verify_min_level logs all lower level users out as a result
Reply
#2

(This post was last modified: 05-23-2016, 01:25 AM by skunkbad.)

Yes, use the lowest level that is allowed to access the page. If login is not required at all and you're just trying to verify if anyone is logged in, then use $this->is_logged_in(); at the top of your controller method.

After that, use your ability to access the auth variables to determine who is/not logged in and what to show them.

Docs: http://community-auth.com/documentation/...rification

Show some code too, unless I've answered your question already.

While it is implied that "login is just verified" when you use the verify_ methods, the main difference between the verify_ methods and the require_ methods is that the require_ methods will redirect you to the login page if the user doesn't meet the requirements for being on the current page, while the verify_ methods will not redirect. Most of the time, if you're using the verify_ methods, it'll be because you just want to know if somebody is logged in, and in that case you're using $this->is_logged_in(), which is an alias for $this->verify_min_level(1); In that case, you're either logged in or your not, so nobody is ever going to get automatically logged out.

Your post brings about an interesting question though. Why does a user get logged out if they don't have a user level that is high enough to pass verification? Besides just being "the way it is", the check_login method is sort of a dual purpose method, and is checking if a user is logged in for required_ pages too. If somebody just happens to stumble upon a page they are not supposed to be on, my thinking is that we log them out. Why and how did they get there anyway, right?

So as you build your menus, and add links and sections to your website, you'll want to make sure that users only see what they are allowed to see. For instance, a customer never sees an admin's list of customer orders, so it would make sense that the customer would never see the link to that page either.

Honestly, I never use the verify_ methods except for with user level 1. I suppose there could be a use case where you just want to make sure an employee of any level was on the page, but you didn't want them to be redirected to the login form because you were perhaps going to redirect somewhere else if they were or were not logged in. That's about the only reason I can think of to use the verify_ methods without 1 as the param.

Another reason to use the verify_ methods might be that you have them in methods that are accessed only by AJAX, and if the person sending the AJAX request is not logged in you want to send them back a custom message instead of having Community Auth try to serve them up the default login form (which wouldn't work because it's an AJAX response).

The flexibility is there, I guess it just takes some time to really think about what it is that you need, and how Community Auth can best handle it. If you can describe your use case a little more, perhaps I can suggest something for you.
Reply
#3

(05-23-2016, 12:32 AM)skunkbad Wrote: Yes, use the lowest level that is allowed to access the page. If login is not required at all and you're just trying to verify if anyone is logged in, then use $this->is_logged_in(); at the top of your controller method.

After that, use your ability to access the auth variables to determine who is/not logged in and what to show them.

Docs: http://community-auth.com/documentation/...rification

Show some code too, unless I've answered your question already.

Thank you for the quick reply. To clarify, login is required for the entire page, but some sub-content will require higher privileges.
The following is a small modification of the Examples->simple_verification() method:

PHP Code:
public function simple_verification()
 
   {
 
       $this->is_logged_in();

 
       echo $this->load->view('examples/page_header'''TRUE);
 
       
        if
$this->verify_min_level(10) ) { // set this to any level higher than the current logged in user
 
           echo '<p>Showing admin level content</p>';
 
       } else {
 
           echo '<p>Hiding admin level content</p>';
 
       }

 
       echo '<p>';
 
       if( ! empty( $this->auth_role ) )
 
       {
 
           echo $this->auth_role ' logged in!<br />
                User ID is ' 
$this->auth_user_id '<br />
                Auth level is ' 
$this->auth_level '<br />
                Username is ' 
$this->auth_username;

 
           if$http_user_cookie_contents $this->input->cookieconfig_item('http_user_cookie_name') ) )
 
           {
 
               $http_user_cookie_contents unserialize$http_user_cookie_contents );
 
               
                echo 
'<br />
                    <pre>'
;

 
               print_r$http_user_cookie_contents );

 
               echo '</pre>';
 
           }

 
           ifconfig_item('add_acl_query_to_auth_functions') && $this->acl )
 
           {
 
               echo '<br />
                    <pre>'
;

 
               print_r$this->acl );

 
               echo '</pre>';
 
           }

 
           /**
             * ACL usage doesn't require ACL be added to auth vars.
             * If query not performed during authentication, 
             * the acl_permits function will query the DB.
             */
 
           if$this->acl_permits('general.secret_action') )
 
           {
 
               echo '<p>ACL permission grants action!</p>';
 
           }
 
       }
 
       else
        
{
 
           echo 'Nobody logged in.';
 
       }

 
       echo '</p>';

 
       echo $this->load->view('examples/page_footer'''TRUE);
 
   

After logging in and visiting the page for the first time, the correct behaviour ("Hiding admin level content" shown along with the rest of the auth information). 
However, visiting the page again will show that the user is no longer logged in.

Should I avoid calling verify_min_level() if I do not wish to log the user out, and instead just check ($this->auth_level >= 10) instead?

Thanks!
Reply
#4

(This post was last modified: 05-23-2016, 07:51 AM by skunkbad.)

OK, now I see the problem, and this is something others have done too. You should only be using one of the auth methods per request, and in your code you are using two. By auth methods, I mean:
  • require_min_level()
  • require_group()
  • require_role()
  • optional_login()
  • is_logged_in()
  • verify_min_level()
  • verify_role()
The reason why you only should use one method per request is that after that one method call you have all the auth variables, and so you use them instead. Doing more calls to auth methods just requires extra database queries you don't need.

For instance, in controllers if you want to know the user level (now called auth level):


Code:
if( $this->auth_level >= 10 )


In a view, you would use:


Code:
if( isset( $auth_level ) && $auth_level >= 10 )


and if you are in any place where you don't have access to those, like a model:


Code:
if( config_item('auth_level') >= 10 )
Reply
#5

Noted, and thank you for the prompt replies, cheers!
Reply
#6

(05-23-2016, 08:34 AM)cwchong Wrote: Noted, and thank you for the prompt replies, cheers!

Thanks for bringing the issue to my attention, because it's happened before. I made some changes to the documentation and added a blog post on the Community Auth website so this is more clear.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB