Page 1 of 1

Admin Area

Posted: Sat Nov 27, 2010 2:51 am
by evans123
Whats the best way to secure an admin only area. If a user logins but doesn't have permissions to the admin area, and they try and access it directly e.g. http://www.mydomain.com/admin/users. Is there an error code you can use that basically says you don't have access to this area. I was thinking of the 401, but that seems to only be if they have entered an incorrect username and password combination.

Re: Admin Area

Posted: Sat Nov 27, 2010 8:24 am
by greyhoundcode
403 Forbidden possibly?

To be honest, I never change the HTTP status code in these situations, I just reroute to the login controller and provide an error message.

Re: Admin Area

Posted: Sat Nov 27, 2010 10:52 am
by evans123
But if the user is already logged in, and then they try and access it, but they don't have the requried userlevel what do i do then?

Re: Admin Area

Posted: Sat Nov 27, 2010 12:08 pm
by greyhoundcode
How about a message saying, "Sorry - you don't have permission to use this feature - click here to return to the home page." Or similar.