Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.
Alright... I've got a class called User, which is used to add/edit users in the database. Now I am going to extend this class and use it to check privileges, get username, pretty much anything having to do with the user who is viewing the site. What should I call this class?? I can't come up with anything but CurrentUser, which I don't really like.
<?php
class CurrentUser extends User{
protected $loggedIn = false;
protected $session;
public function __construct(){
parent::__construct();
$this->session = new MC2_Session_Mysql('CurrentUser', null, self::$_mysql->getConnection());
if($this->session->has('user')) $this->loadId($this->session->get('user'));
}
public function LogIn($username, $password){
$this->load("`username` = '" . $this->escape($username) . "'");
$password = sha1($password);
if(($this->username == $username) && ($this->password == $password)){
$this->session->register('user', $this->getRaw('id'));
// Write whatever's left in the session to disk and regenerate id
$this->session->writeClose();
$this->session->regenerateId();
return $this->loggedIn = true;
}
// Username and password not found, reset and return false
$this->reset();
return false;
}
public function forceLogin(){
$this->loggedIn = true;
}
public function isLoggedIn(){
return $this->loggedIn;
}
public function hasPrivilege($key){
return isset($this->privileges[$key]) ? $this->privileges[$key] : false;
}
}
?>
Hmmm...it's looking or sounding alot like something of an authentication/authorization layer...
However, I can't help but feel something of the 'chicken and egg' syndrome...as I would argue that a user conceptually is layered on top of authentication/authorization/etc...
Layered might be the wrong word here, as I don't think extension is the ideal way to go...
Authentication/Authorization are different processes...so I'm not sure bundling them into a single class is the best solution.
What do you think? Do you have any reasons as to keep them togather except for the sake of brevity or simplicity? IMHO Authentication should only occur once per session. In an HTTP environment like were in, we need to maintain session state ($_SESSIONS) so really we have:
This triad allows for more modular security. In case all you need is simple authentication...you don't have the over head of authorization...and so on...
I might add, I actually would call it something along the lines of UserPermission, as long as you keep the class's purpose relevant to what it is now, and not
pretty much anything having to do with the user who is viewing the site.
Jcart wrote:Considering your not following a naming convention specific to the layer, I personally don't see anything wrong with calling it a UserController.
<?php
class User {
private $id;
// ...
public function isLoggedIn() {
return true;
}
public function getPermissions() {
// permissions for user (maybe lazy loaded)
}
}
class AnonymousUser {
public function isLoggedIn() {
return false;
}
public function getPermissions() {
// default permissions
}
}
class Permissions {
private $permissions;
// ...
public function can($action) {
return isset($permissions[$action]);
}
}
?>
Ok all you have to do is put have the right user in sessionpool.
<?php
class SessionPool {
public function __construct() {
session_start();
session_regenerate_id();
}
public function getUser() {
return isset($_SESSION['User']) ? $_SESSION['User'] : $this->createAnonymous();
}
public function setUser($user) {
$_SESSION['User'] = $user;
}
protected function createAnonymous() {
return new AnonymousUser();
}
}
?>
User is logged in basicaly on a login page, right?
<?php
class APageThatRequiresSpecialRights {
public function execute($request, $session) {
if($session->getUser()->getPermissions()->can('access_this_special_page')) {
// display page
} else {
// you are not allowed to see this confidential stuff...
}
}
}
?>