User authentication in CI

[eluser]Maks Baum[/eluser]
Is it possible to prevent ececute of method in construct method?
I mean - in constructor i check if the user is logged in (are there login / pass in session data) and next if there arent any is it possible to prevent CI from executing method which will be executed becouse of url?
Or do I have to set some variable in constructor and then check it in every method if it is set to 'true'?

[eluser]Jamie Rumbelow[/eluser]
Yes!

You can just redirect to another function in the constructor.

[eluser]Maks Baum[/eluser]
redirect? that is? I hope not by sending headers becouse one simple notice or sth and then there will be no redirect

[eluser]Colin Williams[/eluser]
Any robust authorization system should have a single function call that checks for access. No reason you couldn't run that in the constructor. And I think a location redirect is usually the best way to go. If you're concerned about it failing because of previous php notices being output, either eliminate those notices or raise the error reporting threshold to only warnings and/or errors

[eluser]Maks Baum[/eluser]
Hm... but don't you think that using redirect is't good practice? I mean that when we "fire" controller we should let him "end". So.. the question is can I change (disable) method which will be default executed after constructor (not just add another, "turn off" this default)?

[eluser]Pascal Kriete[/eluser]
Think of any old web application that you use on a daily basis.

What happens if you try to access your email inbox without logging in? Or if you try to change your preferences?
Most of the time, you'll be redirected to a login page. It's simply more user friendly than showing an error.

Now if it's an access level problem, that's a different story. Although most solutions will still redirect somewhere and then display an error message (passed through flashdata).

As for notices, your production system shouldn't be displaying notices, warning, errors or anything else that you didn't tell it to display. And with CI you don't need to echo a lot, so that won't be a problem. If you want to be totally safe, you could add exit; after your redirects.

[eluser]Maks Baum[/eluser]
yeah... i know on production I always set error reporting to 0
But i just thought about some "application flow" that the controller should end it's execution and then there should be eventually redirect to another page, controller.
But of course theres no problem in check and redirect in near every controller constructor (just extends some controller with this logic and... )

[eluser]Colin Williams[/eluser]

but don’t you think that using redirect is’t good practice? I mean that when we “fire” controller we should let him “end”

No. The controller says, "Sorry, sir. You are not allowed to do that. Go login." That is how he "ends." Would you rather have every controller handle their own login?

[eluser]Randy Casburn[/eluser]
If you need to clean up, with PHP 5 that is what __destruct() methods are used for.

Just a thought.

Randy