Welcome Guest, Not a member yet? Register   Sign In
Better approach to restricting users access to managed controllers?
#1

[eluser]gwerner[/eluser]
What is the best approach to allow/deny users from accessing certain controllers? Currently I've been building the checks into a MY_Controller.php. In that file I have an Admin_Controller class which extends the CI_Controller. First I check to see if a user is "logged_in". If so, then I run a query that pulls the ids associated to the various sections/controllers of the site. Based on that query a menu is generated with only the links of the areas that user has permission to access. This check also prevents a user from simply typing the url in the browser. If URI segment doesn't match the IDs in the query I mentioned earlier they are redirected.

Is this the right approach? This is for an administration area of a site I'm developing. It will receive light traffic only. The down side that I think I see (but there may be more) is that a database query exists for every page request for every user using the admin. I'm not coming up with a better way to handle this though. This seems to be the only way to handle this dynamically. By that I mean, a user would need to log out and log back in if a new area of the site is created or their permissions have been updated. With the check happening at every page request this seems to ensure that users only have access to areas they've been granted access in real time.

Any thoughts or advice on this is appreciated.
#2

[eluser]CroNiX[/eluser]
I take a similar approach but issue a 404 instead of redirect. If they don't have proper permission, the page doesn't exist for them.

I store the controllers that users have access to in the users table, which all gets loaded into session upon successful login. Then, in MY_Controller (so I only have to do this in one place), it checks the (routed) request to see what controller is being called and compares that to the allowed controllers in the users session data. If allowed access to the requested controller, continue. If not, issue a 404.
#3

[eluser]gwerner[/eluser]
I thought about using a 404. I thought it might be better to serve the user a specific message as to why they can't access a particular page. Something along the lines of "You don't have permission to view this page etc." Only so the user isn't in the dark if they made an honest mistake.

You also mention that you load the variables into the session data. I thought about this too. What about in a scenario like this? User A has complete authority over the entire admin and changes user B's permissions to no longer allow access to area C. If the variables are stored in the session data that user will still have access until they either log out or time out. How do you handle this? Update the login time further back in time to force a time out?

Thanks in advance!
#4

[eluser]Aken[/eluser]
I also do something similar, but I do the Permission Denied page instead of 404 or redirect. In my opinion, it's best to give the actual error message, otherwise it can confuse people. And for me, people can guess URLs all they want - I don't care if they receive a permissions denied message at a page that they guessed (then again, I don't build apps that are super secret like that, either).

[quote author="gwerner" date="1342121896"]What about in a scenario like this? User A has complete authority over the entire admin and changes user B's permissions to no longer allow access to area C. If the variables are stored in the session data that user will still have access until they either log out or time out. How do you handle this? Update the login time further back in time to force a time out?[/quote]

Session data is refreshed on every page load. If you change session data at one point, it will be updated the next time that user refreshes their browser (either on the same or a new page). Try it out for yourself.
#5

[eluser]skunkbad[/eluser]
I give them the login page. You never know if they have a second account that will give them the appropriate permissions. It probably depends on the nature of the website. There are some websites that I have like 10 accounts on. There are others, such as a bank, where having more than one account is unlikely. Even then, what if the user is a customer, and also an employee, and has two accounts? IDK...
#6

[eluser]gwerner[/eluser]
[quote author="Aken" date="1342138427"]Session data is refreshed on every page load. If you change session data at one point, it will be updated the next time that user refreshes their browser (either on the same or a new page). Try it out for yourself.[/quote]

If user A adjusts user B's permissions to access area C, then user B would have to login a second time to see those changes. Correct? User A wouldn't be able to change user B's session data by adjusting a field in a database. Or, maybe I'm not understanding? I'm setting the session data at time of log in.
#7

[eluser]Aken[/eluser]
It depends on how you set up the permissions. If you alter the user's session, or you define permissions on each page load separately from the user's session data, it will refresh automatically with no re-log in necessary.

Just gave me an idea for a modification to the Session library, actually.




Theme © iAndrew 2016 - Forum software by © MyBB