Securing View with codeigniter and IonAuth

StackOverflow https://stackoverflow.com/questions/15096909

  •  15-03-2022
  •  | 
  •  

Question

I have setup Ion Auth for codeigniter 2.1.3.

All is working well.

In my controller, auth.php I have the below code for function index():

function index()
{
    // if not logged in - go to home page
    if (!$this->ion_auth->logged_in())
    {
        //redirect them to the login page
        redirect('auth/login', 'refresh');
    }
    // if user is an admin go to this page
    elseif ($this->ion_auth->is_admin())
    {
        echo "Admin User";
        // if an admin, go to admin area

        //set the flash data error message if there is one
        $this->data['message'] = (validation_errors()) ? validation_errors() : $this->session->flashdata('message');

        //list the users
        $this->data['users'] = $this->ion_auth->users()->result();
        foreach ($this->data['users'] as $k => $user)
        {
            $this->data['users'][$k]->groups = $this->ion_auth->get_users_groups($user->id)->result();
        }

        $this->_render_page('auth/view_users', $this->data);                
    }
    //if user is part of the master data team
    elseif ($this->ion_auth->in_group("master_data"))
    {
        echo "master data group";
        //redirect them to the master_data page 
        $data['title']="Master Data Home Page";
        $this->load->view("site_header",$data);
        $this->load->view("site_nav");
        $this->load->view("content_master_data");
        $this->load->view("site_footer");

    }
    elseif ($this->ion_auth->in_group("planning"))
    {
        echo "Planning";
        //redirect them to the master_data page 
        $data['title']="IMS Planning";
        $this->load->view("site_header",$data);
        $this->load->view("site_nav");
        $this->load->view("content_planning");
        $this->load->view("site_footer");

    }
    else
    {
        echo "Generic user";
        //redirect them to the default home page 
        $data['title']="IMS Home Page";
        $this->load->view("site_header",$data);
        $this->load->view("site_nav");
        $this->load->view("content_home");
        $this->load->view("site_footer");
    }
}

My thought process is that the controller will only get loaded if their user is in the correct group. This works correctly and the correct view is loaded for each user. My problem is that I can still browse directly to any view, for example http://localhost/logico/application/views/content_master_data.php

How do I restrict access to the view / controller so that the page cannot be accessed by someone who is not logged in and someone that is not in the correct group.

Was it helpful?

Solution

Instead of loading different views u must redirect each user group to different controller.

Auth index

function index()
{
    // if not logged in - go to home page
    if (!$this->ion_auth->logged_in())
    {
        //redirect them to the login page
        redirect('auth/login', 'refresh');
    }
    // if user is an admin go to this page
    elseif ($this->ion_auth->is_admin())
    {
        echo "Admin User";
        // if an admin, go to admin area

        //set the flash data error message if there is one
        $this->data['message'] = (validation_errors()) ? validation_errors() : $this->session->flashdata('message');

        //list the users
        $this->data['users'] = $this->ion_auth->users()->result();
        foreach ($this->data['users'] as $k => $user)
        {
            $this->data['users'][$k]->groups = $this->ion_auth->get_users_groups($user->id)->result();
        }

        $this->_render_page('auth/view_users', $this->data);                
    }
    //if user is part of the master data team
    elseif ($this->ion_auth->in_group("master_data"))
    {        
        //redirect them to the master controller
      redirect('master','refresh');        

    }
    elseif ($this->ion_auth->in_group("planning"))
    {
 //redirect them to the planning controller 
       redirect('planning',refresh);          
    }
    else
    {
//redirect them to the generic controller
redirect('generic','refresh');

    }
}

Master Controller

class Master extends CI_Controller {

  function __construct()
  {
    parent::__construct();
    if (!$this->ion_auth->in_group('master_data'))
    {
              redirect('auth/login', 'refresh');
            }
      }
function index()
{
          $data['title']="Master Data Home Page";
            $this->load->view("site_header",$data);
            $this->load->view("site_nav");
            $this->load->view("content_master_data");
            $this->load->view("site_footer");
}
}

Similarily planning and generic controller's constructor must contain the corresponding authentication check.This will prevent unwanted method execution through url .

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top