First, let’s clear up some terms: I personally use the security term for things like preventing SQL injection, XSS attacks, where we have to validate input, filter/sanitize values, take care of the dynamically generated SQL commands, take care of properly escaping output (for JSON or HTML text or HTML attributes), etc. This is not about what you are asking, if I understood well.

The access control or permissions system is where you give or deny access to a function for a user. It can be secure or not. I understand that to deny a user which does not have permission the access to a function may sound like “security”, but I wouldn’t use this specific word in this context, to avoid confusion.

Now, the answer:

I strongly recommend you create a few base controller classes to your needs. Read the following blog post carefully (it is short and useful): http://philsturgeon.co.uk/blog/2010/02/CodeIgniter-base-Classes-Keeping-it-DRY

A code to check if the user is properly authenticated (logged in) is essential. If the user is not logged in, redirect to home page or login page.

For fine-grained control, you could create your ACL in the database using the users table, plus an actions table, plus an acl table…

The users table would contain the users data (id, name, login, password, etc)

The actions table would contain the id field and at least one more field containing what suits best for your application: it can be only the controller class name (the first part of the URL, for example: “products”), granting access to the whole “products” controller or not. Or you may want to include both the controller class AND the method name (the first and second parts of the URL, for example: “products/add” and “products/delete”), and so on.

To decide about the actions table is the most decisive step. Think very well about it, balance your needs (your “true” needs)… I developed a system where each and every action has its entry. It is good, but it needs work to be maintained.

A very useful column for the actions table is a human-readable description of the action.

The acl then would be nothing more than a column for the user id and another column for the action id.

A “master” grant/deny access field in the users table is useful too, in case you want to temporarily deny access from a specific user, without having to delete all his permissions and maybe having to restore it later.

With the database tables and your “controller/method” or “actions” strategy well defined, you can easily code in your base controller class a function which checks if the user have permission to execute the requested action.

This is the basic. In my system, I have the users administration interface, where I can grant/deny the actions for each user (I use an ExtJS tree with checkboxes). One of these actions is the own user management. I have gone one step further, where the user who can access the user management may “delegate” (grant/deny) to other users only the actions he himself has access to.

The system has several modules, and functions. The interface does not show anything the user does not have access. So, I have users who can see only a single or a couple of modules, and they don’t even imagine the existence of the other modules.

It requires more work to manage all this, but the result worths.

I also log each granted access, so it is possible to track who did what, and when. This log feature is very very easy to add, since you have this base controller “master function” allowing or disallowing the users to perform the actions.

I hope I have helped. I’ve just shared a bit of what worked (and works) for me…