Extending My_Controller with an Auth layer.

[eluser]gh0st[/eluser]
I know you can use MY_Controller to extend CI's base functionality; but when it comes to an Auth layer what is the best way to do this?

Code:

class MY_Controller extends Controller
{
...
}

I am using Tank_Auth, but I guess it could work with any Auth layer -- is there a right way to add an auth layer so that I do not need to continually add the auth stuff in every controller.

Then comes the problem of how do you make the Public side not pick up the auth layer (unless they need it).

Thanks.

[eluser]Phil Sturgeon[/eluser]
I try to avoid doing this as it is not all that flexible (for me at least).

I create a Public_Controller and a Admin_Controller then you can just do something like:

Code:

class Admin_Controller extends MY_Controller
{
    function Admin_Controller()
    {
        parent::__construct();
        
        if(!$this->user_lib->check_role('admin'))
        {
            show_error('Shove off user');
        }

        // And other stuff...
    }
}

[eluser]Joshua Logsdon[/eluser]
I second that.

@gh0st: Just a little reminder if you start out with this, a login page or other public-facing/unprotected pages that are part of your "admin" still need to extend your Public_controller to be accessed as shown by Phil.

[eluser]gh0st[/eluser]
Hi there.

Thanks for your help. I've been asked by my employer to build a modular CMS and I need to create an auth layer that sits out of everything but can be applyable to modules at a whim.

I downloaded several CI modular CMS' already out there to learn what they did and I believe the answer Phil provided is the answer.

I understand that I need to ensure public/private pages use or extend the admin/public controllers.

Thanks again.

[eluser]Devon Lambert[/eluser]
I am building out a modular CMS myself and I too was making use of Tank Auth, and I ALSO have used Phil's CMS as a means to understand how best to build out a modular CI cms. That being said, I did make a change in the way I handle logins. This is because Tank_Auth generally feels like better authentication than that provided in PyroCMS, sorry Phil :-).

I created the following general_login method, which is then used across both my Public and Admin Controllers. I place this method in MY_Controller:

Code:

function _generic_login($user_type = NULL)
    {
        if (isset($user_type)) {

            $this->data->login_by_username = ($this->config->item('login_by_username', 'tank_auth') AND
                    $this->config->item('use_username', 'tank_auth'));
            $this->data->login_by_email = $this->config->item('login_by_email', 'tank_auth');

            $this->form_validation->set_rules('login', 'Login', 'trim|required|xss_clean');
            $this->form_validation->set_rules('password', 'Password', 'trim|required|xss_clean');
            $this->form_validation->set_rules('remember', 'Remember me', 'integer');

            // Get login for counting attempts to login
            if ($this->config->item('login_count_attempts', 'tank_auth') AND
                    ($login = $this->input->post('login'))) {
                $login = $this->input->xss_clean($login);
            } else {
                $login = '';
            }

            $this->data->use_recaptcha = $this->config->item('use_recaptcha', 'tank_auth');
            if ($this->acms_auth->is_max_login_attempts_exceeded($login)) {
                if ($this->data->use_recaptcha)
                    $this->form_validation->set_rules('recaptcha_response_field', 'Confirmation Code', 'trim|xss_clean|required|callback__check_recaptcha');
                else
                    $this->form_validation->set_rules('captcha', 'Confirmation Code', 'trim|xss_clean|required|callback__check_captcha');
            }
            $this->data->errors = array();

            if ($this->form_validation->run()) {                                // validation ok
                if ($this->acms_auth->login(
                        $this->form_validation->set_value('login'),
                        $this->form_validation->set_value('password'),
                        $this->form_validation->set_value('remember'),
                        $this->data->login_by_username,
                        $this->data->login_by_email)) {                                // success

                    if ($user_type === 'admin') { // We have an admin, send him/her to the dashboard
                        redirect('admin'); //Need to fix this
                    } else { // We have a regular site member, send him/her to the page they came from.
                        redirect($this->session->userdata('referrer'));
                    }

                } else {
                    $errors = $this->acms_auth->get_error_message();
                    if (isset($errors['banned'])) {                                // banned user
                        $this->_show_message($this->lang->line('auth_message_banned').' '.$errors['banned']);
                        return;

                    } elseif (isset($errors['not_activated'])) {                // not activated user
                        redirect('/auth/send_again/');

                    } else {                                                    // fail
                        foreach ($errors as $k => $v)    $this->data->errors[$k] = $this->lang->line($v);
                    }
                }
            }

            $this->data->show_captcha = FALSE;
            if ($this->acms_auth->is_max_login_attempts_exceeded($login)) {
                $this->data->show_captcha = TRUE;
                if ($this->data->use_recaptcha) {
                    $this->data->recaptcha_html = $this->_create_recaptcha();
                } else {
                    $this->data->captcha_html = $this->_create_captcha();
                }
            }
        }
    }

This code comes almost directly from the basic auth controller provided with the Tank Auth library. As you can see, it checks several different user scenarios before logging a user in. I like this approach as I am assuming that every user, visitor, and member of my site may try to be a little sneaky and get into the admin section of my site. Therefore, I treat a login to the admin section, just as I would treat a login to the front end.

Maybe this helps you gh0st, or maybe not but it's working for me so far. :-)

[eluser]gh0st[/eluser]
@Devon Lambert -- Hey thanks! Thats wonderful, as I'm having to do a lot of the coding myself and there isn't much on the Wiki to help with this.

I've also copied the MY_Model that Jamie Rumbelow did, that way I have key CRUD functionality straight away.

[eluser]Phil Sturgeon[/eluser]
[quote author="Joshua Logsdon" date="1265059090"]I second that.

@gh0st: Just a little reminder if you start out with this, a login page or other public-facing/unprotected pages that are part of your "admin" still need to extend your Public_controller to be accessed as shown by Phil.[/quote]

That's not entirely true. If you want an admin only login page then you can still extend the Admin_Controller and just do something like:

Code:

<?php
class Admin_Controller extends MY_Controller
{
    protected $allowed_pages = array(
        'auth/login',
        'auth/forgot_password',
        'auth/reset_password'
    );
    
    public function __construct()
    {
        parent::__construct();
        
        if( !in_array($this->controller . '/' . $this->method, $this->allowed_pages) )
        {
            if (!$this->logged_in )
            {
                redirect('admin/login');
            }
            
            // Make sure they are a customer, clients and admins should not be allowed into the client area
            if(!$this->ion_auth->is_admin())
            {
                show_error('Get the fudge out.');
            }
        }
        
        $this->template->set_layout('admin/layout');
    }
}

[quote author="Devon Lambert" date="1265085764"]That being said, I did make a change in the way I handle logins. This is because Tank_Auth generally feels like better authentication than that provided in PyroCMS, sorry Phil :-).[/quote]

Agreed, mine is a bit of a mess and will soon be replaced with Ion Auth which I have been working on a lot, or hopefully the Auth system Rick Ellis is building.

[eluser]Joshua Logsdon[/eluser]
@Phil: I was only saying what you would need to do with the code as-is. Thanks for the update!

[eluser]gh0st[/eluser]
@Devon Lambert -- With regards to integrating Tank Auth with a modular setup for CI, how far have you got?

I've been trying to do it myself, but am really struggling; are you meant to put the entire thing in a module?

ie:
/modules/
/core/
/tank_auth/ <-- ? Is this where tank_auth goes?

If so, what do you call it? I tried auth, but this means renaming quite a lot; but if I use tank_auth, this means the user is typing in:

modularcms.localhost/admin/tankauth/

I'm also struggling because there is a lot of hardcoded links in Tank Auth; how far have you been able to strip out the hardcoded links?

I would be interested in downloading or finding out how you integrated Tank Auth with a modular setup as its does not look like it plays well together.

Thanks.

[eluser]Devon Lambert[/eluser]
[quote author="gh0st" date="1266277643"]@Devon Lambert -- With regards to integrating Tank Auth with a modular setup for CI, how far have you got?

I've been trying to do it myself, but am really struggling; are you meant to put the entire thing in a module?

ie:
/modules/
/core/
/tank_auth/ <-- ? Is this where tank_auth goes?

If so, what do you call it? I tried auth, but this means renaming quite a lot; but if I use tank_auth, this means the user is typing in:

modularcms.localhost/admin/tankauth/
[/quote]

I leave all tank auth files the same, except for the addition a role_id through out the library itself. I extend the tank auth library and make use of the extended class through out the modules that I have.

My Structure follows that of PyroCMS, i.e.:


/modules/
/core/
/users/
...../libraries/
....../MY_Extended_Library.php


[quote author="gh0st" date="1266277643"]
I'm also struggling because there is a lot of hardcoded links in Tank Auth; how far have you been able to strip out the hardcoded links?

I would be interested in downloading or finding out how you integrated Tank Auth with a modular setup as its does not look like it plays well together.
[/quote]

I moved my generic_login function to MY_Controller.php. I also moved all of the captcha functions.

Hope this helps?