MVC access control

Hi

Ive written my own MVC framework, which uses the mod_rewrite apache tool... first part of the url is the controller and second part is the 'action'... some of my controllers have functionality which is publicly available, and other functionality which i want to restrict to logged in users...

i figure i can create some sort of array with all of the forbidden action names in it and run a check, but i am hoping theres a better option? any ideas?

thanks
lworks

2

Contributors

1

Reply

9 Hours

Discussion Span

2 Years Ago

Last Updated

3

Views

lifeworks

Junior Poster

146 posts since Nov 2007

Reputation Points: 15

Solved Threads: 2

Skill Endorsements: 0

2 Years Ago

0

Somewhere you do need to create a list of which actions can be executed by which users.

If you've got a large number of users, the best way to do this is with access control groups. This simply means you put users into certain groups (for example, "editors", "administrators", etc), then assign rights to those groups. When you want to update the privileges of a given user, you then only need to put them in the right group, rather than assigning them a bunch of different, individual rights.

Also, you'll want to shift your thinking from a blacklist of actions a user/group isn't allowed to run, to a whitelist of actions a user/group is allowed to run. That way, if you add a new action, nobody gets it by default & you have to purposefully give people access to that action.

quasipickle

Light Poster

49 posts since Oct 2010

Reputation Points: 10

Solved Threads: 13

Skill Endorsements: 0

MVC access control

This article has been dead for over three months: Start a new discussion instead