1,105,371 Community Members

MVC access control

Member Avatar
lifeworks
Junior Poster
146 posts since Nov 2007
Reputation Points: 5 [?]
Q&As Helped to Solve: 2 [?]
Skill Endorsements: 0 [?]
 
0
 

Hi

Ive written my own MVC framework, which uses the mod_rewrite apache tool... first part of the url is the controller and second part is the 'action'... some of my controllers have functionality which is publicly available, and other functionality which i want to restrict to logged in users...

i figure i can create some sort of array with all of the forbidden action names in it and run a check, but i am hoping theres a better option? any ideas?

thanks
lworks

Member Avatar
quasipickle
Light Poster
48 posts since Oct 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 14 [?]
Skill Endorsements: 0 [?]
 
0
 

Somewhere you do need to create a list of which actions can be executed by which users.

If you've got a large number of users, the best way to do this is with access control groups. This simply means you put users into certain groups (for example, "editors", "administrators", etc), then assign rights to those groups. When you want to update the privileges of a given user, you then only need to put them in the right group, rather than assigning them a bunch of different, individual rights.

Also, you'll want to shift your thinking from a blacklist of actions a user/group isn't allowed to run, to a whitelist of actions a user/group is allowed to run. That way, if you add a new action, nobody gets it by default & you have to purposefully give people access to that action.

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: