Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming User Access Levels -> need some advice on best practice
User Access Levels -> need some advice on best practice
  • El Forum
    Guest
  •  
#1
04-15-2008, 05:47 PM

[eluser]codex[/eluser]
I have never messed with user access levels before, but a next project kinda requires it. I have a basic idea how to tackle this, but I would like to know if I'm on the right track. Input is appreciated.

I'm thinking this:

- controller table in DB with 3 fields:
--> controller name,
--> controller function,
--> access_level

For each level there's an entry:
1) blog, edit_post, admin
2) blog, edit_post, moderator
etc

In the controller function a check is done. The access_levels are retrieved from the controller table and put into an array. The user_access_level (retrieved from user table and stored in a session) is then checked against the array (in_array). If in array -> allow, if not in array -> redirect to login.

Is this a good method?
  • El Forum
    Guest
  •  
#2
04-15-2008, 08:43 PM

[eluser]Rick Jolly[/eluser]
Yes, very fine grained control using a white list. Here are a few things that I'd consider though:

1. Put the access check in the constructor, or better yet, put the check in a parent controller. Use the Router class to get the class and method names and compare with the database for the logged in user's role.

2. Consider the Zend ACL or Neophyte's KhaosACL which makes use of inheritance which can save you having to map every method to a role. For example, Zend ACL allows role and resource inheritance. With role inheritance, an admin could extend a moderator and inherit all their permissions. Then you'd have to add less entries for the admin. Also, if a role has access to all controller methods but a couple, with Zend ACL you can grant permission to the entire controller, then selectively deny a couple methods.

3. Maybe if any role is allowed complete access to a controller, you could leave the method empty instead of typing in all methods of the controller for that role.
  • El Forum
    Guest
  •  
#3
04-15-2008, 08:53 PM

[eluser]codex[/eluser]
Rick, thanks for your reply.
[quote author="Rick Jolly" date="1208331793"]Yes, very fine grained control using a white list. Here are a few things that I'd consider though:

1. Put the access check in the constructor, or better yet, put the check in a parent controller. Use the Router class to get the class and method names and compare with the database for the logged in user's role.
[/quote]
Hmm, could you elaborate on this a bit? I'm not sure on how to get the class and method with the Router class (but I'm gonna dive into it as soon as I finish this post!).

EDIT: I think you're referring to
Code:
$this->uri->router->class;
$this->uri->router->method;
But this doesn't seem to work (anymore)?

EDIT2:
Code:
$RTR =& load_class('Router');
$RTR->class
will do the trick.

Quote:2. Consider the Zend ACL or Neophyte's KhaosACL which makes use of inheritance which can save you having to map every method to a role. For example, Zend ACL allows role and resource inheritance. With role inheritance, an admin could extend a moderator and inherit all their permissions. Then you'd have to add less entries for the admin. Also, if a role has access to all controller methods but a couple, with Zend ACL you can grant permission to the entire controller, then selectively deny a couple methods.
I looked at KhaosACL, but to be honest I have a hard time getting my head around its working and implementation. When I use something I like to understand how it all works. And maybe it's also a bit too much for my needs.
Quote:3. Maybe if any role is allowed complete access to a controller, you could leave the method empty instead of typing in all methods of the controller for that role.
Yeah, that's what I figured too while making a test environment :-)
  • El Forum
    Guest
  •  
#4
04-15-2008, 11:25 PM

[eluser]Rick Jolly[/eluser]
Yea things have changed a bit. Thanks to imparo and looking at the Router class, I found you can do this now:
Code:
$route =& load_class('Router');
echo('class: ' . $route->fetch_class());
echo('method: ' . $route->fetch_method());

The KhaosACL is based on phpGACL which uses some strange terminology IMO. The Zend ACL was easier for me to grasp. Instead of phpGACL's AROs, ACOs, and AXOs, Zend uses roles, resources, and permissions. Resources are things (think classes) and permissions are actions (think methods), but I prefer to simplify things by just using roles and resources (treating classes and methods as resources - Edit: for example a resource could be "some_controller" or "some_controller/some_method". It's just semantics. Really, if you take inheritance out of the Zend ACL it does exactly what you are doing.
  • El Forum
    Guest
  •  
#5
04-15-2008, 11:27 PM

[eluser]codex[/eluser]
[quote author="Rick Jolly" date="1208341536"]Yea things have changed a bit. Thanks to imparo and looking at the Router class, I found you can do this now:
Code:
$route =& load_class('Router');
echo('class: ' . $route->fetch_class());
echo('method: ' . $route->fetch_method());

The KhaosACL is based on phpGACL which uses some strange terminology IMO. The Zend ACL was easier for me to grasp. Instead of phpGACL's AROs, ACOs, and AXOs, Zend uses roles, resources, and permissions. Resources are things (think classes) and permissions are actions (think methods), but I prefer to simplify things by just using roles and resources (treating classes and methods as resources). It's just semantics. Really, if you take inheritance out of the Zend ACL it does exactly what you are doing.[/quote]

Except, Zend is PHP5 only. I'm still on 4.4 :-(




Theme © iAndrew 2016 - Forum software by © MyBB