geekhut dot org

Recently a client requested a massive user permission based application supporting thousands of articles and updateable permissions for their users.  This was tough considering AFAIK - CI does not have a native model for this type of application, so I had to figure it out myself.

The application needed a way to determine a users permitted actions based on a session containing the users “permission level” pulled from the database - if the user is created as an administrator the “permission” row value is “admin”. If it is an authenticated paying customer, the “permission” value is set to “private” and if it is empty then the user session would be created as “public”.

Some users are subscribed to only a limited number of “courses” so this required another table.  I created a table called course_permissions and added three rows - “id”, “course_id” and “user_id” - this allowed me to inner join all of the required tables (”courses”, “users”, “course_permissions”) to determine which user was subscribed to which course (thanks Craig).

So I got all of the permission level stuff sorted out but I needed a nice way for the computer r-tard to update permissions for individual users, if need be.  I downloaded jQuery and UI to complete this task.

Using jQuery UI I was able to create two list boxes - the Left contained a pool of all available courses, and the Right contained the users. This was actually quite easy to implement and now the administrator has a very simple drag and drop course selector module.  I will explain it if someone asks and even post some of the source.

The administrative interface grew and became very polished because I was dreading having to drop an “if” in the first line of every privatized action to make sure only the right people were getting in, so this is what I did.

Step 1.

First I autoloaded a model I created called init.php, this model basically automatically creates site titles, grabs the description and keywords from the admin settings etc.  I plopped a simple switch to inspect the uri segments, compare them againnst static set of arrays containing possible user actions and then redirect or die accordingly.

Example :

switch ($user_permissions) {

case “public”:

$segmentOne = array(”view”, “courses”, “user”);

$segmentTwo = array(”page”, “login”, “article”);

break;

}

if (!in_array($action, $segmentOne)) {

return “You do not have permission to access this page”;

die();

}

This is a VERY basic example however it demonstrates how to jail users into certain actions without having to code it directly into each function.

Now a problem I faced with this solution is that POST variables can still be sent and inserted so I needed a way to completely lock down a function : here’s what I did.

Created another method in init.php called function lockdown($level)

This function takes one parameter ($level) and compares it against the current session - now to completely lock down any function for administrative use only,  I just put $this->init->lockDown(”admin”); for private users I can put $this->init->lockDown(”private”);  Ithen went over all of my functions and passed an array of which user level can access that specific function.

I initially wanted to avoid having to put an if in front of every function but with this method I can safely put it in the first line of every function and trust access is being granted to only the users it should be.

I will have a video showcasing this application within the next few days, I will definitely add it to this post.

Mr. Confusious say : leave a comment if you’re stumped.