Ive written my own MVC framework, which uses the mod_rewrite apache tool... first part of the url is the controller and second part is the 'action'... some of my controllers have functionality which is publicly available, and other functionality which i want to restrict to logged in users...

i figure i can create some sort of array with all of the forbidden action names in it and run a check, but i am hoping theres a better option? any ideas?


Somewhere you do need to create a list of which actions can be executed by which users.

If you've got a large number of users, the best way to do this is with access control groups. This simply means you put users into certain groups (for example, "editors", "administrators", etc), then assign rights to those groups. When you want to update the privileges of a given user, you then only need to put them in the right group, rather than assigning them a bunch of different, individual rights.

Also, you'll want to shift your thinking from a blacklist of actions a user/group isn't allowed to run, to a whitelist of actions a user/group is allowed to run. That way, if you add a new action, nobody gets it by default & you have to purposefully give people access to that action.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.