Access Control Levels

One of the things missing from codeigniter is access control levels ACL or access control libraries as some might say. Drupal has an excellent ACL out of the box so I decided to make one for regular use on Codeigniter.

Now I want to make sure that this ACL can be used either through roles or individual basis. Groups for me is a collection container of people that are linked together. Individuals still have a role within their group(s) which is why I think it’s important to set access against individual members. However you can still use roles as a way to set individual’s permissions.

The key is to seperate the login functionality from the access function. This allows the ability of the programmer to decide how to setup the permissions.

Each content type has a set of access rules. Each user has a set of permissions. How the user gets the permissions is down to you as long as they’re stored in the users session in the correct format.

$data = array(
is_logged_in => true/false,
uid => true/false,
is_admin => true/false,
permissions = array(
‘content type or group’ => array(
‘add’ => true/false,
‘view own’ => true/false,
‘view all’ => true/false,
‘update all’ => true/false,
‘update own’ => true/false,
‘delete own’ => true/false,
‘delete all’ => true/false,
),
);

$this->session->set_userdata($data);

Personally I would save the permissions as a serialized array in a field in the users table called permissions.

Setting it is easy. Once you’ve checked the user login just add it to the session array.

$query = $this->db->select('uid, is_admin, permissions 'whatever else....')
      ->where->('username', $this->input->post('username'))
      ->where('password', whateverhash($this->input->post('password'))
      ->get('users');

if($query->num_rows()== 1) {

   $rs = $query->row();

   $data['is_logged_in'] = TRUE;

   $data['uid'] = $row->uid;

   $data['is_admin'] = $row->is_admin;

   $data['permissions'] = unserialize($row->permissions);

   $this->session->set_userdata[$data];

}

The controller method needs this. The uid is only needed for individual content entries

function edit_post($post_id = null)  {
    $this->load->library('acl');
// You MUST VALIDATE user input easy if it's an id number just use is_numeric();
 $access = $this->acl->check_permission(array('name' => 'post', 'action' => 'update', 'uid' => $post_id); 

    if(!$access) {

        //kick them out or what ever

    }

}

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>