Thread

I’m getting some weird results with the is_admin function in the Ion_Auth library.

I setup another controller: tracker.php

In tracker->view_items() I have:

public function view_items()
{
    $data['my_location'] = "admin";
    $data['page_title'] = "View Items";

    echo "is admin? = '". $this->ion_auth->is_admin() ."'
";
    if(!$this->ion_auth->logged_in() AND !$this->ion_auth->is_admin())
    {
        redirect('auth/login', 'refresh');
    }

    ...
}

A “member” user was not being redirected, so I added the print statement to see if I could figure out why.  The call to $this->ion_auth->is_admin() doesn’t produce anything.

I added a few print statements to the ion_auth->is_admin function:

public function is_admin()
{
    $admin_group = $this->ci->config->item('admin_group');
    $user_group  = $this->ci->session->userdata('group');

    echo "admin_group = " . $admin_group . "
";
    echo "user_group = " . $user_group . "
";

    return $user_group == $admin_group;
}

At the end of the day, the page that the “member” user views (which is an admin page and should be redirected) prints the following:

admin_group = admin
user_group = members
is admin? = ‘’

I can’t figure out why ion_auth->is_admin() is not working… I’m not sure what else to look at.

if(!$this->ion_auth->logged_in() AND !$this->ion_auth->is_admin())

Perhaps you should try “OR” or “||” instead of “AND”

Best regards
Bernd

Stupid mistake… my bad.  Thanks

Ben,

here is the German translation.

Best regards
Bernd

Thanks Bernd!

Your language file has been added to Ion Auth and PyroCMS.

Welcome, Ben,
when there will be some changes in the English language file, please let me know and I will translate them.

Remember me
Yesterday I upgraded Ion Auth and tested the remember me function on three browsers at the same time. Just imagine: a user has a desktop computer at work, a notebook at home and a PDA or phone on the road.

As the function is user based, it cannot work properly for this purpose.
Wouldn’t it be better to make it session based?

I’m not so deep inside, but wouldn’t it be the simplest way to extend the CI session class and set the session cookie expire individually?

What do you think?

Best regards
Bernd

Issue with remember me and extra where

When I ran ION AUTH on three browsers, suddenly I got errors on one browser:

A PHP Error was encountered

Severity: Notice

Message: Undefined property: Ion_auth_model::$ion_auth

Filename: models/ion_auth_model.php

Line Number: 838

A PHP Error was encountered

Severity: Notice

Message: Trying to get property of non-object

Filename: models/ion_auth_model.php

Line Number: 838

Ein Datenbankfehler ist aufgetreten

Error Number: 1064

Fehler in der SQL-Syntax. Bitte die korrekte Syntax im Handbuch nachschlagen bei 'id` = '8'' in Zeile 1

UPDATE `users` SET `last_login` = 1270227046 WHERE ` IS NULL AND `id` = '8'

I found out, that it must have something to do with the extra_where function in the library.

So I changed it for the moment:

public function extra_where()
    {
        $where =& func_get_args();
        
        //$this->_extra_where = count($where) == 1 ? $where[0] : array($where[0] => $where[1]);
        $this->_extra_where = $where[0] ;
    }

Afterwards it worked properly, even when I changed it back again.

I could not reproduce that error, but I think it is an issue with extra_where and remember me.

Best regards
Bernd

Bernd,

I just pushed a change to Ion Auth “remember me” functionality so the salt generated for the remember me cookie will be unique to the user but not random so that you can login and be remembered on as many browsers/computers as you want to.

Please let me know if you have any more issues.

Thanks!

Ben,

thanks for your fast reply!

Am I right, the cookie corresponds to the user’s password? Someone who gets the cookie, can login as long as the user does not change the password?

I am wondering, if this is less or even more secure than the random value.

For mobil applications it may be more secure, because I can change my password at home, where nobody can see this. Outside I stay logged in. If my phone is stolen, I have to change my password as soon as possible. Correct?

Best regards
Bernd

It’s not an issue, only a little mistake in the comment:

library:

/**
* update_user
*
* @return void
* @author Phil Sturgeon
**/
public function delete_user($id)

should be

/**
* delete_user
*
* @return void
* @author Phil Sturgeon
**/
public function delete_user($id)

Bernd,

It’s not necessarily more or less secure than it was before since the password is already based off a random salt but it is more secure than saving the sessions individually specifically for the use case you described.

The only time you might have an issue with the case you described would be if you changed your password and did not login with “remember me” in which case you’re remember_code would not be reset.

So I just pushed a change to reset the remember_code when the password is changed so it will force all remembered instances of the user to re-login whenever the user’s password is changed.

Thanks,

Bernd,

Thanks! I just pushed the fix for that comment.

Ben,

at the moment the cookies $identity and $remember_code are not set.
It has something to do with the db->update in private function remember_user($id).

When I take away the if statement, the cookies are set:

Line 933 ion_auth_model.php:

$this->db->update($this->tables['users'], array('remember_code' => $salt), array('id' => $id));
        
        //if ($this->db->affected_rows() == 1) 
        if (true)
        {            
            $identity = array('name'   => 'identity',
                 ...

Best regards
Bernd

Bernd,

I just tested it in PyroCMS and it is working.

Maybe try clearing your cookies or logging out and the try again.

Thanks,

Ben,

now I can repruduce the issue:
When the session cookie expires(or when I delete the session cookie), the error messages come up.