how to globally validate urls/function calls using session info

[eluser]hjeffg[/eluser]
I've added an new 'state' to my application that should have very limited access to only a few controller functions (pages). Is there a simple way to use the session information and screen urls (page requests) to prevent calling the functions for these new limited users? Until now, I've used an 'is_admin()' function for the few restricted parts of the application, but now there are tons more. I've tried adding a new Base controller class that all the other controllers will inherit from and intend to do the check in that base class constructor, but can't seem to get the name of the function that will be called.

Thanks for any help/pointers/advice.

Jeff

[eluser]bretticus[/eluser]
"tons more"???

If is_admin() is overwhelmingly difficult to stick in each controller method you wish to block access to, why not just stick all your unprotected methods in their very own controller. Then, just call is_admin() (or an equivalent) in the constructor of all the remaining controllers?

[eluser]hjeffg[/eluser]
As I said, I've done all the checks where only an admin should be allowed (only a small percentage of the methods). Now I have the choice of adding a call to is_restricted() in ALL the methods (and there are MANY), or some kind of pre-filter that only allows 2 methods (out of around 50).

The reason I don't stick all the methods into one controller is because I've nicely broken the app into many controllers, each dealing with a different aspect of the application.

What I'm trying to do is learn what's the best way to make this a general approach. It may take too long to find out so I'll go ahead and sprinkle in is_restricted() in all the methods, for now. BUt, I still would like to know what we be a more general way to simply allow the 2 (or 3) methods and block all the others.

Thanks

[eluser]bretticus[/eluser]
[quote author="hjeffg" date="1251318647"]As I said, I've done all the checks where only an admin should be allowed (only a small percentage of the methods). Now I have the choice of adding a call to is_restricted() in ALL the methods (and there are MANY), or some kind of pre-filter that only allows 2 methods (out of around 50).

The reason I don't stick all the methods into one controller is because I've nicely broken the app into many controllers, each dealing with a different aspect of the application.

What I'm trying to do is learn what's the best way to make this a general approach. It may take too long to find out so I'll go ahead and sprinkle in is_restricted() in all the methods, for now. BUt, I still would like to know what we be a more general way to simply allow the 2 (or 3) methods and block all the others.

Thanks[/quote]

I suppose you could do some kind of role based authentication. For example, after the user has a session value stipulating privileges you could write a library that checks a config file against the allowed urls for that user level. That library could be called in your constructors. You might even call it in your pre-controller hook (although probably not necessary.)

You can get the current controller and method in your controller via the following:

Code:

echo "class:" . $this->router->class;
echo "method:" . $this->router->method;

[eluser]hjeffg[/eluser]
Ahhh. Perhaps I wasn't clear enough, but that's what I was looking for -- how to get the class and method. I was calling it URL. Now I've learned to call it by it's proper name in the codeigniter context.

Tnx.

[eluser]jedd[/eluser]
I'm not proud of what I've done here .. but it might give some assistance (even if only to serve as a warning).

I have this code in one of my controllers' constructors, where I want to restrict access to all but two methods to anyone who isn't logged in. It's my 'user' controller, and includes things like showing public profile, editing your personal details, etc.

Code:

if (! (($this->uri->segment(2) == "login") OR ($this->uri->segment(2) == "logout")) )
    $this->_ensure_authenticated_user( "People" );

_ensure_authenticated_user is a private function in MY_Controller that checks if I'm logged in, and if I am it silently returns, and if I'm not it redirects the user to user/login

In general I block non-logged-in users at a constructor level for the entire controller, but this was the only time I needed visibility to some methods for non-logged-in users.

You could extrapolate this approach and put it into your MY_Controller - that way you'd have a single location, presumably a private function called from the constructor of same, where you could verify whether the user was hitting one of this small set of controller / method combos that you are concerned about.

[eluser]hjeffg[/eluser]
jedd -- that's how I started, but for whatever reason I was not able to get the $this->uri->segment(N) values to come out -- they were always empty, and that's why I asked the question. I guess bretticus provided the correct approach for retrieving those values, though I haven't tried. I needed to get the code out fast and wound up sprinkling something like the following at the entry to each method:

if(is_restricted()) die("not allowed");

Now that I have some more time, I'm going to re-visit that issue and try out the method with a hook.

thnx.

-jeff