I spent the morning hacking together the basic components of my own MVC framework, which currently only parses a url, loads the class and calls the right method...

Because I obviously dont want someone to be able to access the 'add/remove' methods associated with future classes, i need to secure each method - and give access based on user-role... i am thinking that I need an array for each class which dictates which methods are public-access... and then check the class/action against each appropriate array... am I on the money, or is there a better way?


I think you may have misunderstood the public/private classifications in the context of PHP coding. "private means that the method or variable is only available within the class. It does not have anything to do with internet access . Since PHP is sever side, the users will not have any knowledge or use of methods that you don't want them to have anyway.
If you implement a single entry point strategy, like in Joomla, it prevents code being run directly.

Between this and adding blank index.html files in every directory, to prevent listing displays, you prevent "tinkering".

i hear you - someone would have to 'guess' - but its still a risk - one I deem fairly large...
Ive created a method in each class which returns an array of method names that a user won't have access to unless his role permits it, this will have to do until I find a better way.
I think I must relook at the public/private declarations too though. Thanks for the input