MY_ prefixed classes -- reason for the prefix?

[eluser]philpem[/eluser]
This is more a "why do you have to do that?" type question than an actual problem...

I've got an application that extends the Controller class as MY_Controller to provide authentication functionality for the various functions. Basically, if a class extends MY_Controller, then you can't access it unless you have logged in, your session is valid (i.e. not timed out), and so forth.

I'm planning to make some changes to this:
- Rename MY_Controller to MY_SecureController
- Create a new class called MY_AdminSecureController (which extends MY_SecureController) that does the same checks, but also checks that the user is an administrator.

This got me thinking -- the CodeIgniter docs explain that you have to use the MY_ prefix (or whatever subclass_prefix is set to), but doesn't go into any further detail. Just out of curiosity, why is this necessary?

I've had a quick look at the CI source code (Common.php and Loader.php), but didn't find anything that really answered my question...

Thanks,
Phil.

[eluser]imn.codeartist[/eluser]
In the System/Application/Config.php

you can find the information about that.

Code:

/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries.  For more information please see the user guide:
|
| http://ellislab.com/codeigniter/user-guide/general/core_classes.html
| http://ellislab.com/codeigniter/user-guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';

[eluser]philpem[/eluser]
[quote author="dixcoder" date="1255959884"]In the System/Application/Config.php

you can find the information about that.

Code:

/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries.  For more information please see the user guide:
|
| http://ellislab.com/codeigniter/user-guide/general/core_classes.html
| http://ellislab.com/codeigniter/user-guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';

[/quote]

That explains that you have to prefix the classnames, but not *why* they have to be prefixed...

[eluser]jedd[/eluser]
[quote author="philpem" date="1255957573"]
I've got an application that extends the Controller class as MY_Controller to provide authentication functionality for the various functions. Basically, if a class extends MY_Controller, then you can't access it unless you have logged in, your session is valid (i.e. not timed out), and so forth.
[/quote]

You might have an easier time of it if you just change your code (in MY_Controller) to distinguish between admin and logged in and not-logged in users. Session data is a good way of accomplishing this.

That way you just need a single extended controller class.

This got me thinking -- the CodeIgniter docs explain that you have to use the MY_ prefix (or whatever subclass_prefix is set to), but doesn't go into any further detail. Just out of curiosity, why is this necessary?

I presume it's so CI can locate / identify the file fast - without needing to do directory scans, let alone reading class names within each file in there.

Plus, nomenclatures are generally good things in and of themselves.

[eluser]philpem[/eluser]
[quote author="jedd" date="1255964378"]You might have an easier time of it if you just change your code (in MY_Controller) to distinguish between admin and logged in and not-logged in users. Session data is a good way of accomplishing this.

That way you just need a single extended controller class.
[/quote]

That's more or less what I'm doing now -- but there's a security issue with that...

1. Create two admin accounts, A1 and A2. Log in as A1 on one PC, A2 on another.
2. On the A1 account, remove A2's admin privileges
3. Note that as the user privileges are cached in session data, A2 still has admin privileges until they log out

Also, I'm trying to eliminate needless code duplication. I don't see any point in having "if !user_is_admin() redirect('/login');" and similar spread all over the code. It just makes it that little bit more difficult to change things later.

[eluser]jedd[/eluser]
[quote author="philpem" date="1255986003"]
That's more or less what I'm doing now -- but there's a security issue with that...
[/quote]

I think most people wear the cost here - session details are refreshed on login only. If you don't trust admin users that much, you've got a human problem, not a technology one.

If you want to have instant changes done to rights, I see two ways (there's probably others)
o Go through your session table and remove or expire the targeted account(s)'s session information
o Have checks against the database, on every MY_Controller load, for anyone with admin rights.

Also, I'm trying to eliminate needless code duplication. I don't see any point in having "if !user_is_admin() redirect('/login');" and similar spread all over the code. It just makes it that little bit more difficult to change things later.

Do those in the constructors only. Occasionally you have controllers that need granularity at a method level, but these tend to be the exception rather than the rule.

You can even do them in your MY_Controller only, if you really want to reduce the number of places you do it. Derek does this in Bamboo Invoice, I believe - a single check in MY_Controller.