I am using code straight out of a kohana guide for securing websites based on login credentials
The problem is the code seems to only check if a user is logged in and does not distinguish between role.
How would I modify this script to only allow the admin to access this action
In the base controller I have the code
public $assert_auth = FALSE;
public $assert_auth_actions = FALSE;
public function before()
{
parent::before();
$this->_user_auth();
}
protected function _user_auth()
{
$action_name = Request::instance()->action;
if (($this->assert_auth !== FALSE && Auth::instance()->logged_in($this->assert_auth) === FALSE)
|| (is_array($this->assert_auth_actions) && array_key_exists($action_name, $this->assert_auth_actions)
&& Auth::instance()->logged_in($this->assert_auth_actions[$action_name]) === FALSE))
{
if (Auth::instance()->logged_in())
{
Request::instance()
->redirect('');
}
else
{
Request::instance()
->redirect('admin/login');
}
}
in the controllers for the admin pages there is the code
public $assert_auth_actions = array(
'index' => array('login')
);
First I want to note that the above code is for Kohana 3.0, for 3.1 and higher you should replace Request::instance()->action by Request::$current->action().
If you want all the same authorization requirements for all actions in the controller, then set $assert_auth to an array containing a list of all the roles one should have to access it.
If you want different authorization requirements for actions in the same controller then set $assert_auth_actions to be a multidimensional array. The first dimension should be the name of the action, the select a list of roles the user must have to access the action.