I'm trying to rethink the way I do authentication in web apps, as so far I use a fairly 'clunky' system. Basically each action is a class which has a variable which defines which users can run this action and which not but that's just based off a numeric user level and sometimes that's not enough. plus it's not very manageable
I'm thinking of using a permissions system, the code would look like:
Code: Select all
class Controller {
function run() {
$permissions = new Permissions();
if ($permissions->hasPermission($user, $action)) {
//$user, $action retrieved from request
$action->execute();
}
else {
//redirect to Error 401 page or something
}
}
}
I was thinking every controller would have its own permissions object. So a ForumController would have a ForumPermissions object which had the logic for all the forum methods. I could store the permissions in a database but that would be fine for something like "Users with level x or higher can do action y" but in case of some actual logic (i.e. only an admin or the user who posts an article may edit that article - I can't store that in the database?).
Maybe I could define the permissions in XML files but that seems a bit insecure as they're just text files and viewable in a web browser.
Thanks in advance for any help, I see potential in this method but it's the management of it that I'm not sure how to handle..