Auth control by uri request

FlashUK

Posted: 13 March 2008 05:51 AM

[ Ignore ]

Grad Student

Total Posts: 76

Joined 08-25-2007

I just had an idea about some code that could be used for a Auth library.

Controlling access to a controller/section by using the uri_string

This data could be stored into the database (group_id & request_uri). There is then no need to hardcode a group id into the page, just simply match it against the database.

Table layout I thought of for MySQL:


group_id | request_uri

It would also allow you to add access to other controls easily as you create them, or give a group more privileges via a admin panel.

If you wanted, you could use “/” as the request_uri for the group_id if you want to allow access to ALL controllers throughout the site (obviously for someone like “Super Admins” only).

What do you guys think? Any flaws?

Signature

My Website | My Project
CL Auth BETA v0.2 - Authentication Library
CL Auth Documentation

Profile

webthink

Posted: 13 March 2008 07:53 AM

[ Ignore ] [ # 1 ]

Lab Assistant

Total Posts: 183

Joined 02-25-2008

Can you give an example of what a url might look like?

Signature

Webthink.ca - a CodeIgniter/Kohana Shop

Profile

FlashUK

Posted: 13 March 2008 09:55 AM

[ Ignore ] [ # 2 ]

Grad Student

Total Posts: 76

Joined 08-25-2007

The controller then action e.g.:

/home/index

Signature

My Website | My Project
CL Auth BETA v0.2 - Authentication Library
CL Auth Documentation

Profile

webthink

Posted: 13 March 2008 10:03 AM

[ Ignore ] [ # 3 ]

Lab Assistant

Total Posts: 183

Joined 02-25-2008

I see so you just look up the current controller action in your permissions table. That could definitely work it just depends on if you as the developer would find managing permissions in a table vs. directly in the controller easier. The advantage of the permissions table is that you could build an interface for administrator user to assign permissions rather than having it controlled strictly by the developer.

Signature

Webthink.ca - a CodeIgniter/Kohana Shop

Profile

FlashUK

Posted: 13 March 2008 10:28 AM

[ Ignore ] [ # 4 ]

Grad Student

Total Posts: 76

Joined 08-25-2007

Yup, it makes it really easy to change permissions in the database, plus its really fast since it only does 1 query.

I finished making the code, here it is:

function check()
    {
        $_pass = false;

        $_group = $this->obj->session->userdata('group_id');

        if ( $this->obj->session AND $this->obj->config->item('CL_Auth') AND !empty($_group) )
        {
            $_controller = '/'.$this->obj->uri->rsegment(1);
            $_action = $_controller.'/'.$this->obj->uri->rsegment(2);

            $query = $this->obj->group_uri->findURI(array($_controller, $_action), $_group);

            if ( $query->num_rows() )
            {
                $data = $query->row();

                $_pass = true;
                $this->_fullAccess = $data->is_admin;
            }
            else
            {
                $query = $this->obj->group_uri->globalAccess($_group);

                if ( $query->num_rows() )
                {
                    $data = $query->row();

                    $_pass = true;
                    $this->_fullAccess = $data->is_admin;
                }
            }
        }

        if ( $_pass == false )
        {
            $this->denyAccess($_group);
        }
    }

    function isAdmin()
    {
        return $this->_fullAccess;
    } 

So all you do is call “$this->auth->check()” at the top of the controller if you want to protect it all, or sit it within an action.

Heres the model as well:

function findURI($_uri=array(), $_group_id)
    {
        $this->db->where_in('request_uri', $_uri);
        $this->db->where('group_id', $_group_id);

        return $this->db->get($this->_table);
    }
    
    function globalAccess($_group_id)
    {
        $this->db->where(array('group_id' => $_group_id, 'request_uri' => '/'));
        return $this->db->get($this->_table);
    } 

Some example data too:

group_id | request_uri | is_admin

1   |   /            |   1
2   |   /home        |   1
3   |   /home/test   |   0 

Signature

My Website | My Project
CL Auth BETA v0.2 - Authentication Library
CL Auth Documentation

Profile

webthink

Posted: 13 March 2008 10:53 AM

[ Ignore ] [ # 5 ]

Lab Assistant

Total Posts: 183

Joined 02-25-2008

Neat stuff. You wouldn’t need to sit it within an action at all actually because the constructor would get called regardless of the action and then the check function would handle the permissions based on permissions for each action depending on the uri. So really all you’d need is $this->auth->check() in the constructor and assuming you remembered to add the appropriate permissions in the table all your actions would be covered.
Of course any custom routes might be worth thinking about.

Signature

Webthink.ca - a CodeIgniter/Kohana Shop

Profile

FlashUK

Posted: 13 March 2008 11:20 AM

[ Ignore ] [ # 6 ]

Grad Student

Total Posts: 76

Joined 08-25-2007

webthink - 13 March 2008 02:53 PM

Of course any custom routes might be worth thinking about.

You don’t need to worry about custom routes. The function uses “rsegment” which re-routes the path and confirms the true path.

webthink - 13 March 2008 02:53 PM
... You wouldn’t need to sit it within an action at all actually because the constructor would get called regardless of the action ...

You only need to include it in the action if you don’t include the check() in the constructor. You would do this only in a controller when you want to protect one action (which is highly unlikely). Otherwise, you would have to add granted access for guests/normal users in the database which can be cumbersome.

Signature

My Website | My Project
CL Auth BETA v0.2 - Authentication Library
CL Auth Documentation

Profile

webthink

Posted: 13 March 2008 11:24 AM

[ Ignore ] [ # 7 ]

Lab Assistant

Total Posts: 183

Joined 02-25-2008

Hmm yeah could be cumbersome but perhaps if you could add wildcards or something like this to the table
/controller/*any*
where the presence of *any* can be overridden by specific (real) actions controller/update

Signature

Webthink.ca - a CodeIgniter/Kohana Shop

Profile

FlashUK

Posted: 13 March 2008 11:33 AM

[ Ignore ] [ # 8 ]

Grad Student

Total Posts: 76

Joined 08-25-2007

There is a check for this already, it checks for “/controller” together with the action as well. If the action doesn’t exist as a record but “/controller” does, then it automatically overrides the call.

$this->obj->group_uri->findURI(array($_controller, $_action), $_group);

...

    function findURI($_uri=array(), $_group_id)
    {
        $this->db->where_in('request_uri', $_uri);
        $this->db->where('group_id', $_group_id);

        return $this->db->get($this->_table);
    } 

Signature

My Website | My Project
CL Auth BETA v0.2 - Authentication Library
CL Auth Documentation

Profile

FlashUK

Posted: 16 April 2008 05:27 AM

[ Ignore ] [ # 9 ]

Grad Student

Total Posts: 76

Joined 08-25-2007

Just an update to this thread.

I have created a completely new auth system using this method. I shall be releasing it in BETA form when I am happy with it for public testing. It’s quite an extensive system and has everything you would expect from a login library.

Signature

My Website | My Project
CL Auth BETA v0.2 - Authentication Library
CL Auth Documentation

Profile

Buch

Posted: 12 July 2008 10:26 AM

[ Ignore ] [ # 10 ]

Summer Student

Total Posts: 13

Joined 07-09-2008

Dude keep up the good work Love this! And will be using it for my site You should make more stuff
And could ya perhaps do a start guide of an interface ?? Im very new to CI so I havent learned all commands and such yet.