Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers ErkanaAuth: A non-invasive user authentication library
ErkanaAuth: A non-invasive user authentication library
  • El Forum
    Guest
  •  
#11
10-24-2007, 05:25 PM

[eluser]xwero[/eluser]
[quote author="walesmd" date="1193282829"]
Quote:The try login snippet needs array() around the array content

I assume you are referring to this line:
Code:
$query = $this->CI->db->getwhere('users', $condition, 1, 0);
[/quote]

No i was refering to your blog post where you added an example of the try_login method
Code:
try_login('username'=>'test','password'=>'hello')
I read documentation Smile

[quote author="walesmd" date="1193282829"]
The helpers are there so getRole() and getField() can be used in a view - saves on typing a little.[/quote]
Ok i wasn't sure about that. I will not use the helper i rather type than debug.

[quote author="walesmd" date="1193282829"]
The multiple role situation is one I am aware of and I intend to correct that in the future (it will be a new method that accepts a string (or an array, I haven't decided) of user roles. If the user has one of those roles it will return TRUE.[/quote]
The way i do this is creating an action/pagepart entry and attach the roles to it then compare the actions roles with the current role. It requires extra tables.
view_object : id,name
view_object_roles : view_object_id, roles_id
Code:
function enableViewObject($view_object_id)
{
    $query = $this->db->getwhere('view_object_roles', array('view_object_id' => $view_object_id, 'roles_id' => $this->getRole()));
    return ($query->num_rows() > 0)?TRUE:FALSE;
}
  • El Forum
    Guest
  •  
#12
10-24-2007, 09:00 PM

[eluser]imzyos[/eluser]
Quote:The multiple role situation is one I am aware of and I intend to correct that in the future (it will be a new method that accepts a string (or an array, I haven’t decided) of user roles. If the user has one of those roles it will return TRUE.

STRING like

Code:
$a = 'role1|role2|role3';

return (in_array($role, $extract(getRoles()))? true : false;
  • El Forum
    Guest
  •  
#13
11-08-2007, 09:46 AM

[eluser]12vunion[/eluser]
I’m very much a fan of ErkanaAuth. I’ve tried some of the other authentication libraries and none of them seem to fit well with CodeIgniter. This is the only one so far that seems to fit in with the style and philosophy. I really like where it’s headed. If there’s something to be improved, it would be the user role management. It doesn’t scale well for a big project that needs more robust permissions.



In any event, I’ve written my own system that adds onto ErkanaAuth. It allows user’s to be in groups and groups to have as many permissions for whatever you should choose to set permissions on. In my case, I’m using it to set view, create, edit, and delete permissions for my content types (news, articles, research, pages, etc...). So you have the choice to either check for a user’s group, or check to see if they have the required permissions.



I’ve only just thrown it together. So it’s a bit ugly. But I’m sure if it’s useful, someone will clean it up.



For the Erkanauth.php library:



Code:
/**

     * Returns the user's group

     *

     * Example: $this->erkanaauth->getGroup()

     *

     * @access    public

     * @return    string

     */

    function getGroup() {

        $this->CI->db->select('user_groups.name');

        $this->CI->db->from('user_groups');

        $this->CI->db->join('groups', 'users.group_id = user_groups.id');

        $query = $this->CI->db->getwhere('users', array('users.id'=>$this->CI->session->userdata('user_id')), 1, 0);

        if ($query->num_rows() == 1) {

            $row = $query->row();

            return $row->name;

        }

    }

    

    

    /**

     * Returns true if the user's group has permissions

     *

     * Example: $this->erkanaauth->hasPermissions()

     *

     * $content_type can either be a content_type_id or a content_types.type (content type string)

     * needed_permissions can be a single permissions ("create") or an array of permissions ("view", "create", edit", "delete") or "all"

     *

     * @access    public

     * @return    bool

     */

    function hasPermissions($content_type, $needed_permissions) {

    

        $this->CI->db->select('user_roles.*');

        $this->CI->db->from('user_roles');

        $this->CI->db->join('groups_to_roles_join', 'groups_to_roles_join.role_id = user_roles.id');

        $this->CI->db->join('users', 'groups_to_roles_join.group_id = users.group_id');

                

        //is an id, or a type string

        if(is_numeric($content_type)){

            $this->CI->db->where('user_roles.content_type_id', $content_type);

        }else{

            $this->CI->db->join('content_types', 'user_roles.content_type_id = content_types.id');

            $this->CI->db->where('content_types.type', $content_type);

        }

        $this->CI->db->where('users.id', $this->CI->session->userdata('user_id'));

        

        //run that query, finally

        $query = $this->CI->db->get();

        

        //no rows = permissions not set. Return false and stop here.

        if ($query->num_rows() == 0 || is_null($query->num_rows())) {

            return false;

        }

        

        $has_perm = false;

        $row = $query->row_array();

        



        if(is_array($needed_permissions)){

            $perms_matched = 0;

            foreach($needed_permissions as $perm){

                $perm = strtolower($perm);

                if(stripos($perm, "can_") === false){

                    $perm = "can_".$perm;

                }

                if(isset($row[$perm]) && $row[$perm] == 1){

                    $perms_matched++;    

                }

            }

            if($perms_matched == count($needed_permissions)){

                $has_perm = true;

            }

        }elseif(strtolower($needed_permissions) == "all"){

            if($row['can_view'] && $row['can_create'] && $row['can_edit'] && $row['can_delete']){

                $has_perm = true;

            }

        }else{

            $needed_permissions = strtolower($needed_permissions);

            if(stripos($needed_permissions, "can_") === false){

                $needed_permissions = "can_".$needed_permissions;

            }

            if(isset($row[$needed_permissions]) && $row[$needed_permissions] == 1){

                $has_perm = true;

            }

        }

        

        return $has_perm;

    }



For the Erkanaauth_helper.php helper:

Code:
// Calls the getGroup method of the library

function getGroup() {

    $CI =& get_instance();

    return $CI->erkanaauth->getGroup();

}



// Calls the hasPermissions method of the library

function hasPermissions($content_type, $needed_permissions) {

    $CI =& get_instance();

    return $CI->erkanaauth->hasPermissions($content_type, $needed_permissions);

}



And that’s that. You can call hasPermissions() with either the content_type name, or ID. And you can set the required permissions as either a single permission ("view", or “can_view"), “all” (meaning must have all permissions) or as an array of strings (["can_view", “delete”, “edit” ...]). I allow it to use “view” or prefixed with “can_” because that’s what the field is in the database.



Code:
if($this->erkanaauth->hasPermissions("article", array("edit", "can_view")) == true){

        echo "Has permission";

    }else{

        echo "Doesn't have the required permisions";

    }
  • El Forum
    Guest
  •  
#14
11-08-2007, 09:47 AM

[eluser]12vunion[/eluser]
And here's what my SQL looks like:

Code:
CREATE TABLE `content_types` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `type` varchar(256) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;


CREATE TABLE `groups_to_roles_join` (
  `group_id` int(11) NOT NULL,
  `role_id` int(11) NOT NULL,
  PRIMARY KEY (`group_id`,`role_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


CREATE TABLE `users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `user_name` varchar(32) NOT NULL,
  `password` varchar(40) NOT NULL,
  `email` varchar(256) NOT NULL,
  `group_id` int(11) NOT NULL,
  `status_id` int(11) NOT NULL,
  `created_on` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;


CREATE TABLE `user_groups` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;


CREATE TABLE `user_roles` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `can_view` int(11) DEFAULT NULL,
  `can_create` int(11) DEFAULT NULL,
  `can_edit` int(11) DEFAULT NULL,
  `can_delete` int(11) DEFAULT NULL,
  `content_type_id` int(11) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;
  • El Forum
    Guest
  •  
#15
11-08-2007, 09:53 AM

[eluser]jaume[/eluser]
I use a different approach on multiple roles subject. I tried to explain it in this thread:
http://ellislab.com/forums/viewthread/64469/

Do you think the approach is so weird?

I mean, for example, instead of using different roles related to the news section being "news_editor" or "news_admin" or "news_whatever", just using a "news" role with a numeric level assigned to it so it becomes "news=3" to grant you a "level 3" access in the news section. When you have many different areas, assigned to a single role each, you shorten the roles list by a factor of 3 or 4 depending on the main levels you assign to the areas... Being the levels 1-admin. 2-supervisor, 3-editor, 4- writer they also allow syntax like "editor or higher" when talking about permissions.

I've used it in portals where different users were allowed to work on different sections of the whole portal, and did work fine to me... how would you approach it?

Jaume.
  • El Forum
    Guest
  •  
#16
11-08-2007, 09:58 AM

[eluser]12vunion[/eluser]
That's pretty interesting. I've used something like that before. I've also done something similar to that, but more like a chmod. Your approach works pretty well for a smaller project where you're in control of every user. But for the sake of manageability, you need to abstract it by an extra layer. In your approach, you have to set every permission for every user. Where as in mine, you setup permissions and assign them into groups. Then you can simply set what group the user belongs to and they get all the inherited permissions.
  • El Forum
    Guest
  •  
#17
11-08-2007, 10:01 AM

[eluser]jaume[/eluser]
@12vunion

You sent your messages while I was writing mine! :-)

Just a third point of view!
  • El Forum
    Guest
  •  
#18
11-08-2007, 10:04 AM

[eluser]12vunion[/eluser]
A ha. Gotcha.
  • El Forum
    Guest
  •  
#19
11-08-2007, 10:13 AM

[eluser]jaume[/eluser]
@12vunion

Yes, but if you have one user taking care of one area, you would end having as many groups as users and no inheritance in levels at all. In my app you start setting default permissions to true just to change his own password any assign only the permissions needed for that user. If you have enough users to group them in groups then I agree with you, but it still lacks inheritance to say "editor or higher in this area", how would you mix both approaches?

Or do you focus more on explicit permissions like "can_do_x"?

How whould you apply it in a per area basis more like saying "can_read in news_area"?
  • El Forum
    Guest
  •  
#20
11-08-2007, 10:35 AM

[eluser]12vunion[/eluser]
Either you use it like I am and say content_type = "news_area" can_read = "1", or you'd need a table with a ton of rules "can_read_news", "can_edit_news", etc. And then create an in between table that pairs user ids with permission ids (see my groups_to_roles_join table). Granted, my roles table is going to get pretty big as well.




Theme © iAndrew 2016 - Forum software by © MyBB