1

I've been doing PHP for years and know how to check if a user is logged in and all that but I can't find a good example of how to do it in the MVC way.

I was thinking if the Controllers for the members pages are like members/memberpage1, members/memberpage2 then I could check the start of the Controller with a regular expression for the word "members" and if it returns true I could then do my check to see if the user is logged in. It would probably work but is it the best way?

Also, for the members pages in the controllers folder is it better to put them in a subfolder called "members" within the controllers folder? I'd definitely be doing that with the views anyway.

David
  • 212
  • 2
  • 11

2 Answers2

4

The best option would be to check users access rights outside the controller. Authorization is not the responsibility of the controller. You would be breaking SRP. If you want to see how it can be implemented, read this topic: ACL implementation.

As for member-only areas of the site, decision about, whether to show them or to display an error, can be handled wither before accessing controller, or by the Views (you might have some restricted views, if you have active views instead of passive ones).

Though more often you would have both parts involved: authorization service changes the state in model layer, and then view reacts to that change by choosing to include error-message template in the presentation.

Community
  • 1
  • 1
tereško
  • 56,151
  • 24
  • 92
  • 147
0

Everything does it a different way. I tried building a small MVC framework for PHP and this is the way I done authentication (much like the rails way really:)

Had a 'SessionsController'

The SessionsController contained a method called 'user_is_logged_in' and that returned the current state of the users session. This method was then added to a special method '_before'on any class I wanted to secure.

The main application always ran a controllers _before action before any other methods if it existed. You could also pass 'except' into it to stop it executing on certain actions so it was just a case of checking if the user was logged in in that action.

Of course there are probably more compliant ways to do it as @tereško greatly suggested but it worked for the small application I was working on.

andy
  • 2,279
  • 1
  • 26
  • 45
  • Complexity is in the eye of beholder. You are suggesting to have authorization-related code in each controller. This can become an issue in larger projects, or when you are maintaining some older ones. What will happen if you need to add another access level `user, admin` => `user, moderator, admin` ? You will have to go through each of the controllers and manually change the access rules. Basically, your controllers gain aspects of storage.. they store authorization rules. – tereško Jul 17 '12 at 11:25
  • At the very max you are going through and writing 3 lines of code per controller. That being said, if you are dealing with an amount of controllers and would suddenly need to change the roles like you said (not quite sure at all why you would need to do that if you've organised everything correctly) then you can throw the before action in the application controller and just have the except in each controller. – andy Jul 17 '12 at 12:07