Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Permissions - How to only allow the owner(or admin) of post to edit/delete?
Permissions - How to only allow the owner(or admin) of post to edit/delete?
  • El Forum
    Guest
  •  
#1
05-20-2010, 05:07 PM

[eluser]MT206[/eluser]
I am having a bit of trouble wrapping my mind around how to set this up correctly. Before I get into my question I will outline what I have setup so far:

For authentication I am using the Tank_Auth library.
For roles/group permissions I have a database setup like:

users
roles (super_admin,admin, user, visitor, membership-gold,...)
users_roles(has foreign keys of both users and roles)

optionally I have these tables as well:
user_permissions (individual control of CRUD and other functions per user)
role_permissions (individual control of CRUD and other functions per group/role

How it works is to store user roles data in the session and then in controllers have a check like:

Code:
if(! this->tank_auth->check_roles('admin')){
    //redirect to login
}

or in specific functions:

Code:
function update_post($id){
    if(! user_has_permission_to('update_posts')){
       //deny
    }
}

My issue is that if I want to have a particular user be able to edit his own post then what would I have to setup? My thinking is that if someone would go to a post that belonged to them I would have to both check roles and then go and find the post owner and compare that with the id in the session.

The pseudo code might look something like:

Code:
//the function that does the checking
function check_ownership(){
    //check if the user id in the session matches the foreign key in the post table or use the uri segment
    return TRUE or FALSE depending on whether they match
}

//in the post controller
if(! this->tank_auth->check_roles('admin') ){
    //redirect to login
}elseif(this->tank_auth->check_roles('admin') && this->tank_auth->check_ownership()){
    //set some variable like $owner = TRUE;
}elseif(this->tank_auth->check_roles('admin') && ! this->tank_auth->check_ownership()){
    //set some variable like $owner = FALSE;
}else{
    //blah
}

Am I making this too complicated or is this how you go about allowing users to have specific control over things that they have created?
  • El Forum
    Guest
  •  
#2
05-20-2010, 06:20 PM

[eluser]Buso[/eluser]
I don't know how tank auth works, but I want to point out that better than checking for a role, you should check for a resource, like check_resource('edit')
Otherwise, what would happen if you had 2 roles (eg: admin and moderator) who should be able to access some resource? And if you had 20?

Anyway following your schema, about ownership, you could check if the user is an admin OR owner. Eg:
Code:
if(this->tank_auth->check_roles('admin') || $post['user_id']===$user['id']) {
  // edit() or whatever
}

$post and $user you can fetch them from your database, of course, or replace them with your own ownership function
  • El Forum
    Guest
  •  
#3
05-20-2010, 07:45 PM

[eluser]MT206[/eluser]
Thanks for the reply Buso. Tank Auth is a very nice authentication library but it doesn't actually provide for any roles based access control. I just extended it to add that functionality. I found some great posts on this forum that helped in that respect immensely.

You're right that checking the role is often times not as good as checking the resource. I don't think I explained it as well as I should have but I do have the option to do both(unless I am misunderstanding what you are explaining). I use the permissions tables to deal with limiting access to various functions such as edit, delete, view, etc.
For certain pages such as an admin page I think that it would be fine to use roles but like you said it becomes cumbersome to deal with when you have quite a few roles. Because of this I have heard of people using numerical values for the roles such as Admin is 100, User is 5, and Visitor is 0. With this you could say if role > 50 you can access this page, etc. The only thing is that many forum posts I have read talk about the inflexibility that this introduces when you don't properly accommodate for new roles.
Currently the function that I use to retreive roles and check against them(taken directly from the Tank_Auth forum post(pg25)) is:

Code:
function get_user_roles($user_id)
    {
            $query = $this->db->query("SELECT *
                                       FROM users_roles
                                       INNER JOIN roles ON users_roles.rolesID=roles.rolesID
                                       WHERE userID = ".$user_id);

            $roles = null;

            foreach ($query->result() as $row)
            {
                $roles = ($roles."%".$row->name);
            }

            return $roles;
    }
  • El Forum
    Guest
  •  
#4
08-12-2010, 03:27 AM

[eluser]Mark Croxton[/eluser]
Old post, but I thought I should point out that roles shouldn't be conflated with permission to do something. Roles are a template for a collection of access permissions, which should be stored stored separately. In RBAC permissions are 'meaningful' in the sense that they describe a possible user action and are not simply yes/no flag for access to a low level system object (as is the case with an access control list).

This is a CI implementation (not strictly a RBAC design but same concept):
http://www.tastybytes.net/2009/10/simple...deigniter/
  • El Forum
    Guest
  •  
#5
08-12-2010, 08:21 PM

[eluser]MT206[/eluser]
Thanks for link. I will definitely take a look at this as I have not added any kind of roles or permissions for the project I am working on now.




Theme © iAndrew 2016 - Forum software by © MyBB