User permissions, a better way?

[eluser]nZac[/eluser]
You know why I love forums, especially with really active members? Because you can get answers for SO many of the questions that you have that are minute but mean SOOOO much to the enhancement of an application!

So here is what I am doing. I have three basic types of users. unregistered, registered and admins. The admins are broken down into 3 categories: Staff, Teaching and Events, Then they all have there sub parts. I am trying to think of a way to pull all of the respective links for the sidebar on my page. So lets say you have teaching status, but you are only a mentor; you get X Y and Z sidebar links. How ever if you are the coordinator of all of the training staff, you have X Y Z links, but also A B and C.

This is what I have thought about so far. Pull the links from a database. User integers for access levels (i.e. a mentor has a value of 1 and the training coordinator has a level of 10) Match a foreign in the users table with some field in the sidebar table, and this is where I start to lose it. Sometimes a Mentor needs to have access to some fields that other mentors don't need.

SO MY QUESTION IS: How do you all handle user permissions? Am I doing this right or should I be thinking differently!

[eluser]Thorpe Obazee[/eluser]
It looks like you need an ACL. You could look through this

[eluser]nZac[/eluser]
Reading through it I think understand what it does, but the poster never gives an explanation of how it is used. Does it go into the view? I could not find a wiki on it.

[eluser]Thorpe Obazee[/eluser]
You'd have to check the check_uri() method. I don't think it's on the wiki either.

[eluser]nZac[/eluser]
Thanks for all your help thus far, but I am still rather confused on how this works. Let me start by re-asking my question.

If I want to load a sidebar in a view that is dynamically generated based on user permissions what is the best way to do that.

The sidebar will have nothing but links in it.

[eluser]Colin Williams[/eluser]
My database tables related to users looks like

Code:

user
role
user_role
role_permission
user_permission

Users have "roles" (admin, authenticated, anonymous, etc). Roles are assigned "permissions" which are simply strings, like "create content" or "update content" or "access administration." Users, individually, can also be giving permissions.

Then, I have an user_access() function (calls the User_model method of the same name) which accepts the string to check for and returns TRUE or FALSE depending on the result of the query based on the current logged in user. So, user_access() becomes the gateway for authorization. Example code:

Code:

function create_post()
{
  // This will send an unauthorized user to the login page
  if ( ! user_access('create post'))
  {
    redirect('user/login'. $this->uri->uri_string());
  }
  
  // Proceed with code
}

[eluser]macron[/eluser]
Comming from Zend_Framework the answer to your question is Zend_ACL. Beeing new to ci I don't (yet) have a wrapper for this but since all zend classes are loosely coupledit can't be that hard(!)
Anyway a lot of explanations are out there on the subject of zend_ACL - so google up.

/Kaj

[eluser]jedd[/eluser]
[quote author="nZac" date="1245909231"]I have three basic types of users. unregistered, registered and admins. The admins are broken down into 3 categories: Staff, Teaching and Events, Then they all have there sub parts.[/quote]

{[url="http://ellislab.com/forums/viewthread/113117/P60/#577544"]sigh[/url]}

All existing comments aside, I think your life will be easier once you admin to yourself that you actually have 5 categories.

User integers for access levels (i.e. a mentor has a value of 1 and the training coordinator has a level of 10)

Brings a tear to my eye, that does.


Colin's approach is beautiful - not just because the practicality of it is that you have a single function up front that can very quickly assess what the current user can do, but because it hides all that backend complexity. It means when you one day replace your auth system with something better - zend, mx_auth, dx_auth, or the as yet unwritten nz_auth - it won't be quite so painful.

Oh, and when I had a two-size sidebar (user/guest and admin) to provide, I wimped out and just had content in two arrays (user and admin). If the user was an admin, that array got merged before returning. This was done in MY_Controller. If I ever get more complex with sidebar presentation (3 types, one with 3 sub-types, and those with various sub-parts - to pick an example at random) that's when it gets pushed into a DB-driven ACL system.