Thread

why code for that…

It makes it a mess if you add a new role down the road…

Have the uri role stuff run from the database and be dynamic is what im saying.

Say you have a basic user, with a subscription for 30 days to a donator role. Instead of reasigning them to the basic user role after the 30 days the donator role just goes away.

Allowing you to just assign the basic permissions to the donator role instead of having to repeat everything from the user role into the donator role.

Meaning take this example for the permissions

User
{
Login
Welcome
Logout
}

Donator (inherits user)
{
videos
email
advanced search
}

so you can just stack them on and on… Allowing 1 user to belong to many roles and have access to diffrent parts of the site

Also using cpanel is a bad idea since some hosting companies use cpanel so it would be an invalid link and something would break…

Why code? well because it will need another table 😛
But i’ve got your idea, basically it was to prevent putting the same URI permission again and again in the role_uri table.

I will consider to add inherit table in the future then. (Or maybe adding parent_role_id field in roles table)

So for example, a user have role_id 3 (donator), and in inherit table role_id 3 has parent role_id 1 (user).
So in role_uri table permission, role_id 3 will also follow role_id 1 permission.

Well, cpanel it’s only an example you can rename it to what you want.
but isn’t CI application will be installed in public_html folder? which is don’t have relation with web hosting config? CMIIW.

thanks dexcell

I’m going to use it in my current project and I’ll give you my feedback later.

Thanks again for releasing it

If I went your route, and lets say I wanted to email all roles related to Users it would be rather complicated would it not? I’d have to have the app, look through all roles and figure out which are Users and which are not. Same thing if I wanted to change permissions (like read/write/delete) on all regular Users roles, it would be a burden if I had something like 500 roles. I would have to alter 500 records instead of 1.

I don’t feel like explaining the check_role_uri() right now though.

Thank you for the comments.

I don’t see why it’s a burden because you can use loop, and the code is in the backend.

Just in case, illustration:

$this->load->model('dx_auth/users', 'users');

$users = $this->users->get_all()->result();

// Add user related roles
$user_related_roles = array('user', 'admin', 'moderator');

foreach ($users as $user)
{
  if (in_array($user['role_name'], $user_related_roles)
  {
   //Do email.
  }
}

I’m not talking about going through the users and finding all that belong to a single o a couple roles. If I had 500 roles, being 1 Guest, 1 Administrator and the rest (498) being various Users, it gets slightly ‘ugly’ trying to group all Users together.

why code for that…

It makes it a mess if you add a new role down the road…

Have the uri role stuff run from the database and be dynamic is what im saying.

so you can just stack them on and on…

I will consider to add inherit table in the future then. (Or maybe adding parent_role_id field in roles table)

So for example, a user have role_id 3 (donator), and in inherit table role_id 3 has parent role_id 1 (user).
So in role_uri table permission, role_id 3 will also follow role_id 1 permission.

^ what i’ve been trying to suggest…

Why code? well because it will need another table 😛
But i’ve got your idea, basically it was to prevent putting the same URI permission again and again in the role_uri table.

I will consider to add inherit table in the future then. (Or maybe adding parent_role_id field in roles table)

So for example, a user have role_id 3 (donator), and in inherit table role_id 3 has parent role_id 1 (user).
So in role_uri table permission, role_id 3 will also follow role_id 1 permission.

Why do that. add 1 more table remove a field and it should be good

User
user_to_role
role

So now they can have multiple roles, Check the roles uri stuff and select one result, They only need to have the access once to make it work!

If you want to hold off on this ill be adding it anyways, I have a mostly working copy at home as far as what im talking about so. Ill leave this up to you.

Pretty much its adding a more boarder approach.

Well, cpanel it’s only an example you can rename it to what you want.
but isn’t CI application will be installed in public_html folder? which is don’t have relation with web hosting config? CMIIW.

Yes, but http://www.yoursite.com/cpanel links to the cpanel from the host…
so if they do the mod rewrite your example breaks if the index.php is there then it wont but alot of people using CI use mod rewrite to remove the index.php

I also believe there is a problem with PHP5

http://offroadwars.com/index.php/auth

fresh install properly configured to work etc… then threw DX Auth on top of it.

Why do that. add 1 more table remove a field and it should be good

User
user_to_role
role

So now they can have multiple roles, Check the roles uri stuff and select one result, They only need to have the access once to make it work!

If you want to hold off on this ill be adding it anyways, I have a mostly working copy at home as far as what im talking about so. Ill leave this up to you.

Pretty much its adding a more boarder approach.

Yes, but http://www.yoursite.com/cpanel links to the cpanel from the host…
so if they do the mod rewrite your example breaks if the index.php is there then it wont but alot of people using CI use mod rewrite to remove the index.php

Thanks for the answer. I’ll change the cpanel name even tough cpanel an example (meaning you should change it) in next release.

What do you mean ‘add 1 more table remove a field and it should be good’?

Ok, i’m gonna add this. However my plan is add another field in roles table.

I also believe there is a problem with PHP5

http://offroadwars.com/index.php/auth

fresh install properly configured to work etc… then threw DX Auth on top of it.

DX Auth is developed and tested using php5.

Judging from the error, looks like you haven’t put the dx_auth.php in your libraries.

Why do that. add 1 more table remove a field and it should be good

User
user_to_role
role

So now they can have multiple roles, Check the roles uri stuff and select one result, They only need to have the access once to make it work!

If you want to hold off on this ill be adding it anyways, I have a mostly working copy at home as far as what im talking about so. Ill leave this up to you.

Pretty much its adding a more boarder approach.

Well, cpanel it’s only an example you can rename it to what you want.
but isn’t CI application will be installed in public_html folder? which is don’t have relation with web hosting config? CMIIW.

Yes, but http://www.yoursite.com/cpanel links to the cpanel from the host…
so if they do the mod rewrite your example breaks if the index.php is there then it wont but alot of people using CI use mod rewrite to remove the index.php

What do you mean? Remove role_id from users and create a table for “Role Access” which has rows that associate users to roles? (so there could be multiple rows associated to an user id and if the app finds at least one row it gives access?)

setup a many to many relationship with users to roles in other words…
Hope this clears a few things up.
I never thought it out for this system… However in theory it should work with little modification

NOTE: I set this up this way to be able to run from an admin panel so that’s why there’s the permission_class and _method tables to be referenced in the admin panel so even a not so smart person could setup new permissions

Users
{
user_id
username
password
email_address
}

user_to_role
{
user_id
role_id
}

role
{
role_id
role_name
role_description
}

role_uri_rescriction
{
id
role_id
class
method (function)
}

-- phpMyAdmin SQL Dump
-- version 2.11.6
-- <a href="http://www.phpmyadmin.net">http://www.phpmyadmin.net</a>
--
-- Host: localhost
-- Generation Time: Dec 02, 2008 at 06:43 PM
-- Server version: 5.0.51
-- PHP Version: 5.2.6

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `fourtwo1_offroadwars`
--

-- --------------------------------------------------------

--
-- Table structure for table `group`
--

CREATE TABLE IF NOT EXISTS `group` (
  `group_id` int(10) unsigned NOT NULL auto_increment,
  `group_name` varchar(255) NOT NULL,
  `group_desciption` text,
  PRIMARY KEY  (`group_id`),
  UNIQUE KEY `group_name` (`group_name`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=5 ;

--
-- Dumping data for table `group`
--

INSERT INTO `group` (`group_id`, `group_name`, `group_desciption`) VALUES
(0, 'Public', 'Public Group, Everyone not logged in is assigned to this group by default'),
(1, 'Members', 'Registered Members'),
(2, 'Moderators', 'Moderators'),
(3, 'Administrators', 'Administrators'),
(4, 'Super Administrators', 'Super Administrators');

-- --------------------------------------------------------

--
-- Table structure for table `group_module_permission`
--

CREATE TABLE IF NOT EXISTS `group_module_permission` (
  `group_id` int(10) unsigned NOT NULL default '0',
  `class_id` int(10) unsigned NOT NULL default '0',
  `method_id` int(10) unsigned NOT NULL default '0',
  `permission` tinyint(1) NOT NULL default '0',
  UNIQUE KEY `group_module_permission` (`group_id`,`class_id`,`method_id`,`permission`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

--
-- Dumping data for table `group_module_permission`
--

INSERT INTO `group_module_permission` (`group_id`, `class_id`, `method_id`, `permission`) VALUES
(0, 1, 1, 1),
(0, 1, 2, 1),
(0, 1, 3, 1),
(0, 1, 4, 1);

-- --------------------------------------------------------

--
-- Table structure for table `permission_class`
--

CREATE TABLE IF NOT EXISTS `permission_class` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `class` varchar(255) NOT NULL,
  `description` text NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

--
-- Dumping data for table `permission_class`
--

INSERT INTO `permission_class` (`id`, `class`, `description`) VALUES
(1, 'authentication', '');

-- --------------------------------------------------------

--
-- Table structure for table `permission_method`
--

CREATE TABLE IF NOT EXISTS `permission_method` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `class_id` int(10) unsigned NOT NULL default '0',
  `method` varchar(255) NOT NULL,
  `description` text NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=5 ;

--
-- Dumping data for table `permission_method`
--

INSERT INTO `permission_method` (`id`, `class_id`, `method`, `description`) VALUES
(1, 1, 'index', ''),
(2, 1, 'login', ''),
(3, 1, 'register', ''),
(4, 1, 'process_login', '');

-- --------------------------------------------------------

--
-- Table structure for table `user`
--

CREATE TABLE IF NOT EXISTS `user` (
  `user_id` int(10) unsigned NOT NULL auto_increment,
  `username` varchar(255) NOT NULL,
  `email_address` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL,
  `register_date` int(10) unsigned NOT NULL,
  `account_status` int(11) NOT NULL default '1',
  `account_status_reason` text NOT NULL,
  PRIMARY KEY  (`user_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=4 ;

--
-- Dumping data for table `user`
--

INSERT INTO `user` (`user_id`, `username`, `email_address`, `password`, `register_date`, `account_status`, `account_status_reason`) VALUES
(1, 'administrator', '[email protected]', 'this was a password', 1224537739, 1, 'Your account is active. If you experience any problems please contact an administrator.');
-- --------------------------------------------------------

--
-- Table structure for table `user_group`
--

CREATE TABLE IF NOT EXISTS `user_group` (
  `user_id` int(10) unsigned NOT NULL,
  `group_id` int(10) unsigned NOT NULL default '1',
  UNIQUE KEY `user_group` (`user_id`,`group_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

--
-- Dumping data for table `user_group`
--

INSERT INTO `user_group` (`user_id`, `group_id`) VALUES
(1, 4);

How would you control access if you were to do specific settings for each role?

Eg.

Managers (Group)
- purchasing = allowed

Tech Manager (Role)
- purchasing = deny

John Smith (Managers/Tech Manager)
- purchasing = deny

What access will the user have?

We have a need for such a thing at the moment, but it would need to be more thought out. And would need for custom permissions which will be used for views not just controllers and methods.

Hi, here is my ideas (actually i have already finished coded it).
Let me know what you guys think.

I add a inherit_id in roles table. (Because if possible i don’t to add another table to DX Auth)

for example you have roles table like this:

id  inherit_id  name
-------------------------
1    0    User
2    0    Admin
3    1    Moderator
4    3    Super Moderator

This means since ‘moderator’ has inherit_id to ‘user’ role_id, ‘moderator’ have access to ‘user’ permission in role_uri_table.
And because ‘super moderator’ has inherit_id to ‘moderator’ role_id, ‘super_moderator’ has access to ‘moderator’ and ‘user’ permission in role_uri table.

In other words, for example:

// URI Access permission in role_uri table.

User
{
'test/hello/'
'test/welcome/'
}

Moderator (inherit ‘user’ permission, can access ‘test/hello/’, ‘test/welcome/’ URI by default)
{
'test/mods/'
}

Super Moderator
(inherit ‘user’ and ‘moderator’ permission, can access ‘test/hello/’, ‘test/welcome/’, ‘test/mods/’ URI by default).

The cons: To search parent, query will execute as deep as your level of inherit_id. But this only happened one time when user is login.

So what do you think?

How would you control access if you were to do specific settings for each role?

Eg.

Managers (Group)
- purchasing = allowed

Tech Manager (Role)
- purchasing = deny

John Smith (Managers/Tech Manager)
- purchasing = deny

What access will the user have?

We have a need for such a thing at the moment, but it would need to be more thought out. And would need for custom permissions which will be used for views not just controllers and methods.

Maybe you should put the purchasing in one centric, i mean for example, purchasing is only controlled in group level. so you every other role in that group will follow purchasing set in the group.

And would need for custom permissions which will be used for views not just controllers and methods.

I think if you needs custom permission for views, you need to code it in the controller, or you want to add another custom table and add your custom permission there.

If you haven’t checked out KhACL yet I’ll just suggest one more time that you take a peak.  I just wonder if you’re reinventing the wheel here and doing it inefficiently (a wobbly wheel).

The KhACL approach has roots from phpGACL.  Here’s a link to an admin panel:
http://opensourceemr.com:2089/phpgacl/admin/acl_admin.php

There’s a link to the manual there as well to describe the concept.

This doesn’t mean your library is a total scrub.  The ACL is just one facet of the library.  All the user admin stuff is still useful.  I haven’t looked at your library at all, but if you keep the parts loosely coupled then it offers the ability to swap in other ACL libraries as well (zend acl, etc.).

Backend Pro (in these forums) has an example implementation of KhACL and it’s decoupled from the auth management class (should you want to compare notes).

I think if you needs custom permission for views, you need to code it in the controller, or you want to add another custom table and add your custom permission there.

Again, not knocking your work here, but check BEPro, has examples of using auth helpers in views.

Please fix:

$this->ci->load->library('dx_auth_event');

->

$this->ci->load->library('DX_Auth_Event');

And also please review your naming conventions, because it cause an error on lower/upper case depended OS. If you want to use loading like that “$this->ci->load->library(‘dx_auth_event’)”, you need to rename DX_Auth_Event.

to tdktank59
If you put ‘dx_auth’ in autoload, fix it to ‘DX_Auth’.