I'm wondering what is best in my case. I'm building a site using CodeIgniter with two main sections:
the public part avalaible to everyone
the private one only for registered users
In each page of the public area (one controller) I want to put a sign in form and a sign up link and if the users is logged in he has to be redirected to the private area or a link to it may be shown.
Now I have two choices:
A user controller is the first thing I thought of but in each page of the site I need to control if the user is logged and this is impossible or very bad since I'm using another Controller
So I started working on a library but I'm not sure how implement it (for example form validation should be achieved by the controller or by the library itself?, what about database connection since I haven't a model?)
What do you think is the best? Why? and how would you implement it?
(and yes I like reinventing the wheel and not using an existing library mainly because i want to learn how to do it)
Super Controller
=>assign user data,settings,configs etc
|-----private controller extends super controller
=>check user credentials
|-----admin controller extends super controller
=>check user && admin credentials
Your super controller is your public controller as long as you only do assignments, no checking...
Anything you want public just extends super controller
Anything you want private extends private controller
Form validations and query jobs should be carried out with the controller itself. The library act like a tool no need to implement these things in them but as a need you can use queries in them to check some data but it's better to be worked in the controllers.
The idea for having a log flag is to:
When user is signed in, create a session for it to show the access.
Check every time the session for the private parts.
Related
I have a project which includes admin and user section. Both section use the same controllers, just different functions and templates (ex: viewAdmin() and viewUser()). In function beforeRender() of every controllers, I set variable $admin as true for admin functions and false for user functions.
For authentication, I use Shibboleth. Shibboleth uses data from LDAP, while user types were saved in SQL-Database, that means while it can check if the login and password are false, it can't check if the user is admin or not. An user can go to ADMIN section as long as they use the right action (ex: go to the link http://example.com/tool/viewAdmin).
To prevent this, I will have to:
Load model Users
Compare the environment variable uid (login name) with the "login" columns in Users table in my SQL-Database
See the "type" column in Users table to know if user is admin or not.
Compare the result with value of $admin and redirect to an error page when necessary.
The problem is: I don't want to repeat those steps for EVERY controllers.
Currently I have 2 ideas:
Write a function in UsersController, and use it in every controllers.
Create a component and load it in every controllers.
Both methods require me changing code in all controllers. I would like to hear a better way with less work, perhaps by changing app.php or bootstrap.php.
Any suggestion is appreciated.
To share methods in CakePHP controllers you can do:
Create component and include in controller
Or create method in AppController and use it in child controllers
Or PHP way create Trait.
But when you authorize users, then all user data is stored in session, incl. is user roles (example admin, regular, member,.. )
Use the official CakePHP authentication plugin and extend the LDAP adapter with the additional code check you need. This is very easy to do and also a very clean way of solving the problem. Disclaimer: I'm one of the authors of the authentication plugin. https://github.com/cakephp/authentication
Or if you want to stay agnostic to any framework, use my library that is based on the authentication plugin and was decoupled from any framework but still works just nice with Cake https://github.com/Phauthentic/authentication.
I tried to make PHP login and authentication system base on MVC. I even need some guide about how can I prevent to access all classes on controller/admin folder without proper login.
I have two ideas :
1- make constructor for all classes on admin folder and check for logged in session and then only allow calls to any other methods in that class.
2- add a secret word at the end of all methods name on my admin folder. Then all calls to those methods will redirected to __call function for check session and if that process done successfully then try to call admin's methods by adding that secret word.
I don't know which one is the better way or is there any other solution?
im trying to use codeigniter to create a simple website that involve user restricted areas,
and was wondering how can i design my log in controller so that on every page it load a controller that check if this user is allowed in this page/allow to execute that function.
Question:
how can i autoload this login function at every page.
what is the proper secure logic to check for if user is allowed to do this function ? noting that i have 3 different user types, 1.admin 2.secretary 3.worker so how can i assign functions to there owner ? "admin should be able to assign access to other 2 types"
i have completed my project but i have 0 experience with this login user access control thing so any advice will be appreciated
You should take a look at the "MY_Controller". Basically, you create a file called MY_Controller.php and place it in application/core (http://ellislab.com/codeigniter/user-guide/general/core_classes.html)
You place a class in this file called MY_Controller that extends CI_Controller
class MY_Controller extends CI_Controller {
public function __construct() {
parent::__construct();
//check if your user is logged in here
}
}
The construct above will be called first before any other controller methods are invoked. So you can check to see if the user is logged in, and if not, redirect to your login form.
There are a lot of different auth libraries that will likely help you with your second question. Check those out and they may help you (don't remember any off the top of my head, but I know you have options).
I have a RECESS based project. I want to add password protection to the views where I add/edit/delete my new model objects, they should only be accessed after passing through a password entry view and if someone tries to access directly the said views should again get redirects to the login page. Any help with that?
Yes you can.
create a class (authController) to handle the authentication connect to the database to query the user info
include the authController file in the main Application controller ie (MyRecessApp.class.php)
add the conditionals in your master.layout.php to check if the user is logged in and whether to render content or a login form
IMPORTANT: place the session_begin() that the authController needs in the recess-conf.php file.
Recommended: I ususally add the "loginUser" method to the User controller or you could have the User controller extend the authControllers methods
Building my first web app using Yii and wondering if it is best to include the user registration process as part of my UserController or is it better to create a registrationController and keep the logic separated?
And ...on the same line of thought, would it be beneficial to have a profileController to handle additional user information, or just have the userController handle that as well?
Is a registration the creation of a User?
Similarly is a profile just a view or update of a User?
It seems like these could all fit one controller fairly well as basic CRUD operations.
In my opinion you can make it to the UserController because the notion of registration is to create a new user. So I think you can make Register same with Create.
Actually, they are not very complex and could be in one controller. It is at least my own habit to include CRUD in one controller(Maybe my apps do not involve complex logic)
Does this form require the user to enter data that is not permanently stored in the dataabse? If so then you should create a new model derived from CFormModel rather than ActiveRecord. Your site controller can handle the launching of the CFormModel views which then take care of themselves (validation, ajax, whatever) if they don't need any dynamic interaction with server (LoginForm) or they can have a separate controller if more complex interaction is needed (RegisterForm). In a CFormModel you can access the user input during the session and process/store it however you like, but then it disappears when the user is done. See the LoginForm and RegisterForm for the blog demo, as example patterns.
Does this form have as much dynamic data interaction with other models as it does with User (not just one-off cascading of relationships)? In that case it might be best to create that separate RegisterController you mention. That's what the blog demo does, and it's a pretty simple app.
You can use gii to automatically create the CRUD interface for admin's and community moderators/managers from your User model. You can then customize it and renderPartial it whenever you want to reuse one of those views for a non-admin user. The validation rules in the models carry over too. Only guests and normally-privileged users need the dumbed down interface of a LoginForm and RegisterForm.
Good idea is to put user related stuff in module, so you could use it easy in different app. In that module you could put profile, or other user related controllers without clutttering app.