Limiting View Access without editing all Controllers

[eluser]BrentNJ[/eluser]
Hi,

I have a list of allowable views a user has access to in a session variable.

I was thinking of checking that list against the requested view to limit access.

Is there any way to do that other than editing all the view functions in every controller?

Thanks!!

[eluser]gullah[/eluser]
Well the checking could be put into a model and you could load that model and check in the constructor part of your controller. But you will have to do it in every controller, as far as I know.

[eluser]dcunited08[/eluser]
Overload the Loader class (create MY_Loader) and something like the following:

Code:

function view($viewName){

   $ci = get_instance();

   if($ci->session->isAllowedToSeeView($viewName)){
      return parent::view($viewName);
   }else{
      show_error('access denied');
   }
}

[eluser]BrentNJ[/eluser]
Great!! I'll give it a try

[eluser]Rick Jolly[/eluser]
[quote author="dcunited08" date="1228429568"]Overload the Loader class (create MY_Loader)...
[/quote]
Please don't.

In the name of transparency and consistency, put all application logic that must process on every request in the constructor of a parent controller.

How would any future programmer know why a view wasn't loading? Why sprinkle bits of application specific logic throughout CI system files?

[eluser]dcunited08[/eluser]
[quote author="Rick Jolly" date="1228434688"][quote author="dcunited08" date="1228429568"]Overload the Loader class (create MY_Loader)...
[/quote]
Please don't.

In the name of transparency and consistency, put all application logic that must process on every request in the constructor of a parent controller.

How would any future programmer know why a view wasn't loading? Why sprinkle bits of application specific logic throughout CI system files?[/quote]

I thought the MY_Loader would be in the Application/libraries folder. How would the constructor know what view is being called? Honestly, the best bet would be to limit access to controllers not to views because by the time it is going to the views it is too late to worry about rights to data or to really handle a failure of rights well (send them to login, show a different view, etc..)

[eluser]Rick Jolly[/eluser]
[quote author="dcunited08" date="1228435527"][quote author="Rick Jolly" date="1228434688"][quote author="dcunited08" date="1228429568"]Overload the Loader class (create MY_Loader)...
[/quote]
Please don't.

In the name of transparency and consistency, put all application logic that must process on every request in the constructor of a parent controller.

How would any future programmer know why a view wasn't loading? Why sprinkle bits of application specific logic throughout CI system files?[/quote]

I thought the MY_Loader would be in the Application/libraries folder. How would the constructor know what view is being called? Honestly, the best bet would be to limit access to controllers not to views because by the time it is going to the views it is too late to worry about rights to data or to really handle a failure of rights well (send them to login, show a different view, etc..)[/quote]
Yea, MY_Loader would be in applications, but it is a CI system file. Obviously, you are correct that the view would be unknown. I was thinking controller methods, which we both think would be a better way to go.

[eluser]BrentNJ[/eluser]
So if I have a

user.php controller
with functions user_view, user_add, user_edit. each function loads their respective views

user_view.php, user_add.php, user_edit.php


One user may have permissions to do an edit while another may not

I put all the names of the allowable views for that user based on that users role in a session variable

Do I have to check in each function user_view, user_add, user_delete? I have about 10 controllers now. Or can I do that somehow in the User() function?

[eluser]Rick Jolly[/eluser]
Do it once in the constructor of a parent controller. Get the controller method from the uri using the correct segment (second segment using rsegment which is safe for rerouted routes as well) or get the controller method from the router class (that might not be an option anymore with CI 1.7?).

Search the forums about extending the controller. There are a couple of different ways.

[eluser]dcunited08[/eluser]
How are you doing auth?