限制用户未经授权的访问 [英] Restrict user from unauthorized access
问题描述
我目前正在 Codeigniter 框架中开发应用程序.我的项目由具有不同操作的不同级别的用户组成.
I am currently developing an application in Codeigniter framework. My project consists of different levels of users who have different operations.
我创建了一个 Default_model
来处理与数据库的所有交互.所有控制器都与此单一模型交互.
I have created a Default_model
which handles all the interactions with database. All controllers interact with this single model.
每个用户在注册时都有一个由其选择的名称(他仅在获得管理员的配置文件批准后才能访问配置文件.)
Each user has a designation chosen by the user at the time of registration (He gets to access profile after getting profile approval by Admin only).
我的实现方式
让 user1
注册为 Level1
,他可以访问名称为 operation1
Let a user1
is registered with designation Level1
and he can access an operation with the name operation1
我当前正在做的事情是在控制器中编写一个函数, user1
通过 www.example.com/page/operation1
访问该操作.在此函数中,我检查用户的指定( ==="level1"
),如果他具有访问我从数据库中检索到的函数的权限(将所需数据加载到控制器的构造函数中,包括名称,则在会话中设置了 userid
.如果名称(如果不是 level1
)不正确,则会显示 404
.
What I am doing currently is written a function in controller and the user1
access the operation by www.example.com/page/operation1
. Here in the function I check for the designation of the user (==="level1"
) if he has authorization to access the function which I retrieved from the database(Load needed data in constructor of controller includes designation, userid
is set in session).If the designation (if not level1
) is incorrect 404
is shown.
当前,我在模型中没有指定检查.如果调用了模型中的函数,它将返回数据.我是否需要再次检查他是否在模型中得到了授权?在我的情况下,是否有更通用或更易于实现的方法?
Currently I do not have designation checking in the model. If the function in the model is called it returns the data. Do I have to again check if he is authorized in the model? Is there a more generic or easy to implement approach to my scenario?
更新
控制器: page.php
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Page extends CI_Controller {
public $id;
public function __construct() {
parent::__construct();
//load libraries and model(Default_model) here
$this->id = $this->getData(); //loading data from DB, returns FALSE if session empty
if ($this->id) {
//has data
} else {
$data = array(
'error' => 'Login to continue. <a href="' . base_url() . '">CLICK HERE</a>'
);
$this->load->view('error_view', $data);
}
}
public function operation1()
{
if($this->id->designation === 1)
{
//call model method because he is LEVEL 1 user
}
}
}
推荐答案
您可以利用钩子以这种简单的方式只写一次
You can utilize hooks for that easy way write once only
第1步:
在config.php中启用钩子
enable hooks in config.php
$ config ['enable_hooks'] = TRUE;
步骤2:使用像这样的钩子的post_controller_constructor: Location/config/hooks.php
step 2:
use post_controller_constructor of hooks like this : Location /config/hooks.php
$hook['post_controller_constructor'] = array(
'class' => 'Auth_module',
'function' => 'index',
'filename' => 'Auth_module.php',
'filepath' => 'hooks',
'params' => array()
);
上面的代码Auth_module.php位于文件夹application/hooks/Auth_module.php中,函数名称是在调用的类的构造函数之后调用该函数的索引
像Auth_module.php这样的代码
the Auth_module.php code like
<?php
class Auth_module {
var $CI;
var $user_id;
var $role_id;
var $collegeId;
public function __construct() {
$this->CI = & get_instance();
$this->CI->load->library('session'); //if it's not autoloaded in your CI setup
$admin_user_data = $this->CI->session->userdata('admin_user_data');
$this->CI->load->model('admin_model');
$this->CI->load->library('user_agent');
}
public function index() {
if (!empty($this->user_id)) {
$class= $this->CI->router->fetch_class();
$method= $this->CI->router->fetch_method();
$role_name = $this->getRoleName($this->role_id);
if ($role_name) {
$Adminpermission = $this->CI->admin_model->getPermissions($class,$role_name);
$Adminpermission_lower = array();
foreach($Adminpermission as $mm_name)
$Adminpermission_lower[] = strtolower($mm_name);
if(!empty($Adminpermission)){
if(in_array($method, $Adminpermission) || in_array($method, $Adminpermission_lower)){
$log_data['access'] = 'success';
//* all is ok here*/
}else if($class !='dashboard' and $class !='admin'){
$message='You don\'t have permissions to access this module. Please contact your administrator.';
$this->redirectMethod($message,$class);
$log_data['access'] = 'failed';
}
}else if($class !='dashboard' and $class !='admin'){
$message='You don\'t have sufficient permissions.please contact your administrator.';
$this->redirectMethod($message);
$log_data['access'] = 'not defined in db';
}
}
else if($class !='dashboard' and $class !='admin') {
$message='Request role is not defined. Please contact to your administrator or mail : test@test.com .';
$this->redirectMethod($message);
$log_data['access'] = 'role name not defined';
}
}
}
public function redirectMethod($message,$class=''){
$message = "<div class='alert alert-danger' role='alert'>".$message."</div>" ;
$this->CI->session->set_flashdata('flashMessage', $message);
if($class==null){
redirect('dashboard');
}else{
redirect($class);
}
}
public function getRoleName($id) {
$master_db = $this->CI->load->database('master', TRUE);
$result = $master_db->query("select role_name from role where id='$id'");
$num_rows = $result->num_rows();
if ($num_rows == 1) {
return $result->row()->role_name;
} else {
return false;
}
}
}
根据您的要求修改身份验证文件.
Modify auth file as per your requirement.
这篇关于限制用户未经授权的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!