[eluser]bugboy[/eluser]
I've modified the restserver to allow me to get the id of the logged in user so i can perform user specific task and also block off tasks so user can't edit/destroy another users data (eg profile).
I'm not sure if this is the safest or the right way to do this. Below is the modifed bits of the rest_controller. Is there a better safer way of doing this?
Code:
class REST_Controller extends Controller
{
// Set this in a controller to use a default format
protected $rest_format = NULL;
private $_method;
private $_format;
private $_get_args = array();
private $_put_args = array();
private $_delete_args = array();
private $_args = array();
/**
|added in for user store
**/
private $_user_id;
Create a function to get the id of the logged in user
Code:
// INPUT FUNCTION --------------------------------------------------------------
public function user_id()
{
return $this->_user_id;
}
user login in function. Please note that I'm just running a quick test thats why i'm getting a direct user
Code:
// SECURITY FUNCTIONS ---------------------------------------------------------
private function _check_login($secret = '', $api_key = NULL)
{
if(empty($secret))
{
return FALSE;
}
$valid_logins =& $this->config->item('rest_valid_logins');
// using a new array function, this will be replaced with a database call
if($valid_logins[0]['username'] !== $secret)
{
return FALSE;
}
// If actually NULL (not empty string) then do not check it
if($api_key !== NULL)
{
if($valid_logins[0]['password'] != $api_key)
{
return FALSE;
}
}
// set the user key
$this->_user_id = $valid_logins[0]['id'];
return TRUE;
}
unset if not vaild
Code:
if ($digest['response'] != $valid_response)
{
$this->_user_id = NULL;
header('HTTP/1.0 401 Unauthorized');
header('HTTP/1.1 401 Unauthorized');
exit;
}
config array amended to take more data. Please not that this is just temporary and that all these will be stored in a database
Code:
/*
|--------------------------------------------------------------------------
| REST Login usernames
|--------------------------------------------------------------------------
|
| Array of usernames and passwords for login
|
| array('admin' => '1234')
|
*/
//$config['rest_valid_logins'] = array('admin' => '1234');
$config['rest_valid_logins'] = array(
array(
'id' => 1,
'username' => 'admin',
'password' => '1234'
)
);
This is just a test call and would be open to the public but gives me a indication it works.
Code:
function check_get()
{
// user check maybe unstable and not great
$id = $this->user_id();
$data = array('id' => $id);
$this->response($data, 200); // 200 being the HTTP response code
}
Now this works but i'm completely unsure if its the best way to go about it.
I hope this makes sense.
Any suggestions, advice or crit's welcome as i'm completely new and willing to learn more on this subject.
Thanks in advance.