1

I use same header for all pages, which include:

  • user authentication code,
  • logo & main menu html,
  • login information (username, logout button / login-register buttons when not logged in).

Now to the question.

How to check if pages are public (accessible for non-registered users) or not? I usually redirected the non-registered users to login page, but how to handle it when some pages are public and some are not? I obviously cant use header since it is page independent. Is putting the public condition to every single page a good idea?

Bot
  • 11,868
  • 11
  • 75
  • 131
Biker John
  • 2,621
  • 10
  • 33
  • 52

3 Answers3

0

You will need to either store whether each page is public or private either in the file or in the database. Otherwise how will you know if it is a public or private page? I myself would recommend this be done in a database so that you don't hard code this type of setting. Should you wish to change the page in the future all you have to do is login to the back end and make the change.

Bot
  • 11,868
  • 11
  • 75
  • 131
0

You want to implement ACL, which stands for Access Control List.

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.

You didn't mention how you handle the routing in your application, but you can have a look at the articles below for a brief explanation of the concept.

Creating a custom ACL in PHP

or read about Role Based Access Control:

Role based access control

Community
  • 1
  • 1
Kasia Gogolek
  • 3,374
  • 4
  • 33
  • 50
0

The way I solve this is by lazy-loading my authentication layer; it's a utility class that uses a session (by default it uses session_xyz() functions and $_SESSION) to determine whether a user is signed in or not.

The pages that require the knowledge of the currently signed in user will have this piece of code at the top:

$user = SiteConfig::getSharedAuth()->ensureLoggedIn();

That line of code will lazy-load the authentication object which returns the currently signed in user, always. To do this, the object code performs the following steps:

  1. resume session
  2. if session can be resumed, find the user object in $_SESSION['_user']
  3. if user object found, return it
  4. if user object is not found, store current path in session and redirect to /login
  5. when login is done, store user object in the session and redirect to the stored path
  6. go back to step 1.

So to conclude, pages are public by default unless stated otherwise :)

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309