[eluser]jedd[/eluser]
[quote author="philpem" date="1255986003"]
That's more or less what I'm doing now -- but there's a security issue with that...
[/quote]
I think most people wear the cost here - session details are refreshed on login only. If you don't trust admin users that much, you've got a human problem, not a technology one.
If you want to have instant changes done to rights, I see two ways (there's probably others)
o Go through your session table and remove or expire the targeted account(s)'s session information
o Have checks against the database, on every MY_Controller load, for anyone with admin rights.
Quote:Also, I'm trying to eliminate needless code duplication. I don't see any point in having "if !user_is_admin() redirect('/login');" and similar spread all over the code. It just makes it that little bit more difficult to change things later.
Do those in the constructors only. Occasionally you have controllers that need granularity at a method level, but these tend to be the exception rather than the rule.
You can even do them in your MY_Controller only, if you really want to reduce the number of places you do it. Derek does this in Bamboo Invoice, I believe - a single check in MY_Controller.