[eluser]Colin Williams[/eluser]
I think you're on a good path here. For the sake of improving your internal API, consider writing "authenticate" and "authorize" (or "access" for short) as your model functions. So, in your login controller, your basic prototype is:
Code:
if ( ! $this->user_model->access())
{
// Form validation, etc...
if ( ! $this->user->authenticate(xss_clean($_POST)))
{
// Wrong username/pass
}
}
Checking the session data directly in order to determine access is just as bad, in my opinion, as running queries from the controller. Let the model handle that stuff for you.
Your access() method can be as simple as:
Code:
function access()
{
return $this->session->userdata('logged_in');
}
Actually, I would use constants instead of strings.
Code:
function access()
{
return $this->session->userdata(USER_AUTHENTIC_COOKIE) == USER_AUTHENTIC_FLAG;
}
Later on, your access method can/will be adapted to check for permissions, etc. I also have mine issue a redirect (on the controller's behalf) if the access check fails.
Code:
// Can user add blog post?
$this->user_model->access('create content', config_item('access_denied_uri'));
Again, you're going down the right path, just a few suggestions.
