I have a RECESS based project. I want to add password protection to the views where I add/edit/delete my new model objects, they should only be accessed after passing through a password entry view and if someone tries to access directly the said views should again get redirects to the login page. Any help with that?
Yes you can.
create a class (authController) to handle the authentication connect to the database to query the user info
include the authController file in the main Application controller ie (MyRecessApp.class.php)
add the conditionals in your master.layout.php to check if the user is logged in and whether to render content or a login form
IMPORTANT: place the session_begin() that the authController needs in the recess-conf.php file.
Recommended: I ususally add the "loginUser" method to the User controller or you could have the User controller extend the authControllers methods
Related
I have a project which includes admin and user section. Both section use the same controllers, just different functions and templates (ex: viewAdmin() and viewUser()). In function beforeRender() of every controllers, I set variable $admin as true for admin functions and false for user functions.
For authentication, I use Shibboleth. Shibboleth uses data from LDAP, while user types were saved in SQL-Database, that means while it can check if the login and password are false, it can't check if the user is admin or not. An user can go to ADMIN section as long as they use the right action (ex: go to the link http://example.com/tool/viewAdmin).
To prevent this, I will have to:
Load model Users
Compare the environment variable uid (login name) with the "login" columns in Users table in my SQL-Database
See the "type" column in Users table to know if user is admin or not.
Compare the result with value of $admin and redirect to an error page when necessary.
The problem is: I don't want to repeat those steps for EVERY controllers.
Currently I have 2 ideas:
Write a function in UsersController, and use it in every controllers.
Create a component and load it in every controllers.
Both methods require me changing code in all controllers. I would like to hear a better way with less work, perhaps by changing app.php or bootstrap.php.
Any suggestion is appreciated.
To share methods in CakePHP controllers you can do:
Create component and include in controller
Or create method in AppController and use it in child controllers
Or PHP way create Trait.
But when you authorize users, then all user data is stored in session, incl. is user roles (example admin, regular, member,.. )
Use the official CakePHP authentication plugin and extend the LDAP adapter with the additional code check you need. This is very easy to do and also a very clean way of solving the problem. Disclaimer: I'm one of the authors of the authentication plugin. https://github.com/cakephp/authentication
Or if you want to stay agnostic to any framework, use my library that is based on the authentication plugin and was decoupled from any framework but still works just nice with Cake https://github.com/Phauthentic/authentication.
I am building an ACL plugin to my framework / application.
The previous ACL applications i have worked with has a controller / action verification meaning that it checks if the user has access to both the controller and the view.
Now in many applications a user can have access to both the controller and the view but still not have acess to the content.
Forexample:
user1 has access to the controller: games and the view: play but not have access to the id: 1
My first idea was to check the $_GET variable but this is not sufficient since it is impossible to know what the variable that the content is looking for.
So my question is how would you verify that the user has access to the content of the view?
Well, you do know the id of the content in your Controller and you do know the user trying to access it. Just add contentId to your ACL check routine? You just have to add more ACL data, current implementation with just controller and method isn't enough in these cases.
e.g. $acl->userIsAllowedTo('view', 1, 'gamescontroller') or so.
I am creating a login & registration system using CodeIgniter.
Currently I have a Model, View and Controller for login, with functions to validate,
check username, etc and an registration model, view and controller,
that does the registration.
I have chosen to separate the login and registration as a principle.
So right now i need to include functions to edit profile, and to check if logged in or not, and to check the user's role, and I would like to know how can i best do this, i have planned creating a user model and controller(no view), the main user controller would have the methods call to model's, but however the methods(updateprofile,islogin,etc) would be in different models, for example in the login model.
So is this design good/bad? How can it be done better. I would appreciate your suggestion's.
I really find no problem with your application structure. Its how you write your code and how will it easily be to update it in the future. For managing your models try using an ORM. PHPActiveRecord is a good start. With this, you no longer be creating alot of individual functions for your database transactions. Reference
You can create a User_Model and expand it as needed. You can see this CI auth lib for example as how build login & registration structure in CodeIgniter.
Lets say I have the url http://localhost/home and this is the standard url of a page.
When a user logs in they are redirected to http://localhost/admin/home.
This URL without any routing is actually more like http://localhost/admin/panel/index/home.
Where admin is a folder, panel a controller, index a function and home an extension to give the view.
Can I theoretically check if a user is logged in depending on if the rsegment(2) is equal to 'admin'? or can a user fake the url somehow to break the system.
NB: The panel controller (inside the admin folder) has in its index function an actual login check I wan curious as to if a user would be able to trick the system into not running the index function, or is that secure.
No, You cannot rely on URI to check if a user is logged in.
You have to use an authentication library like TankAuth, or IonAuth.
Also if you need more options you can visit How should I choose an authentication library for CodeIgniter?.
I advise you to read Phil Sturgeon's Post on CI Base Classes. Class inheritance is key for maintaining who can access your controllers and who cannot. The URL contains no kinds of checks itself, but you know it calls a controller. The basic premise is:
If you create a controller called MY_Admin_Controller and all of your administrative controllers inherit from it and you perform the administrative check in MY_Admin_Controller, then you keep your system DRY (Don't Repeat Yourself) because you don't have to check whether or not that user should have access in every single controller. Only Once, and the controllers will inherit that check.
or can a user fake the url somehow to break the system.[?]
Sure, the URL is the most easy part that can be send to a server, you only need a browser with an address bar - which now as I write it, every browser has ;)
Whaaa?
Your route will point to a controller, if that controller is not secure then its open to public access.
I'm wondering what is best in my case. I'm building a site using CodeIgniter with two main sections:
the public part avalaible to everyone
the private one only for registered users
In each page of the public area (one controller) I want to put a sign in form and a sign up link and if the users is logged in he has to be redirected to the private area or a link to it may be shown.
Now I have two choices:
A user controller is the first thing I thought of but in each page of the site I need to control if the user is logged and this is impossible or very bad since I'm using another Controller
So I started working on a library but I'm not sure how implement it (for example form validation should be achieved by the controller or by the library itself?, what about database connection since I haven't a model?)
What do you think is the best? Why? and how would you implement it?
(and yes I like reinventing the wheel and not using an existing library mainly because i want to learn how to do it)
Super Controller
=>assign user data,settings,configs etc
|-----private controller extends super controller
=>check user credentials
|-----admin controller extends super controller
=>check user && admin credentials
Your super controller is your public controller as long as you only do assignments, no checking...
Anything you want public just extends super controller
Anything you want private extends private controller
Form validations and query jobs should be carried out with the controller itself. The library act like a tool no need to implement these things in them but as a need you can use queries in them to check some data but it's better to be worked in the controllers.
The idea for having a log flag is to:
When user is signed in, create a session for it to show the access.
Check every time the session for the private parts.