0

I'm developing a application in Code Igniter and a problem come by:

I have several functions that access the database, that are routed like this:

controller/function/variable employess/deleteEmployee/4

So, anyone that put this on the url gonna delete the employee.

How can I manage to allow only a logged admin user to access this functions? Is there a simple and well accepted way? I must check every time if there is a user logged in and this user have the permission?

Regards,

Lucas Peixoto de Lima
  • 3
  • 3
  • possible duplicate of [CodeIgniter authentication + user privileges](http://stackoverflow.com/questions/4977707/codeigniter-authentication-user-privileges) – Jonathan Apr 27 '15 at 19:33
  • Add a check in your controller __construct method. It will check for every call. – Vincent Decaux Apr 27 '15 at 19:34

1 Answers1

0

Here is the URL for the reference...

https://ellislab.com/codeigniter/user-guide/general/hooks.html

Here is the simple example

Copy this piece of code as checksession.php and save it in /application/hooks
    <?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

        class Checksession
        {
            private $CI;

            public function __construct()
            {
                $this->CI =&get_instance();
            }

            public function index()
            {
                if($this->CI->router->fetch_class() != "login"){
                    // session check logic here...change this accordingly
                    if($this->CI->session->userdata['userid'] == '' ){
                        redirect('login');
                    }
                }

            }
        }

Copy this code in /application/config/hooks.php

$hook['post_controller_constructor'] = array(
                                'class' => 'checksession',
                                'function' => 'index',
                                'filename' => 'checksession.php',
                                'filepath' => 'hooks'
);

Enable hooks in /application/config/config.php

$config['enable_hooks'] = TRUE;

Hope this helps.
Good Luck and Happy Coding

Satish Ravipati
  • 1,431
  • 7
  • 25
  • 40
  • Thx for the help, but this solves only half of my problem. I have 3 types (roles) of users on my application: admin, managers and employees. - Admin can do everything - Managers can do a lot - Employees are very restricted. So I must set the permission of every Constructor according to the role in the session. But I think that I can do it from here, creating an array in every method specifying the roles permitted, and them checking in this hook you've posted. Right? Thx in advance. – Lucas Peixoto de Lima May 07 '15 at 16:31