0

I'm doing something like this in my controller:

$myapp->$class->$function($params)

The vars are being extracted from the request url i.e. /class/function/field1/val1/field2/val2/.../fieldN/valN

Through the website template only certain functions are linked but clearly anyone could view the source code and try to access sensitive functions which aren't supposed to be visible.

So my question is, how can I hide some functions while allowing others to be accessed through the URL?

  • I want to continue using this approach if possible $myapp->$class->$function($params)
  • At the same time it shoudn't work for some functions in the class i.e. $myapp->Page->delPage(...) should return an error
  • While other functions should work i.e. $myapp->Guestbook->createPost(...)

I haven't implemented a user login yet but for example, Guestbook->createPost(...) would check that the user is logged in. But there are too many classes and functions so I don't want to have to write out a separate request page for each one, if possible.

tereško
  • 58,060
  • 25
  • 98
  • 150
Ozzy
  • 8,244
  • 7
  • 55
  • 95
  • 2
    You could create an array of classes and methods that are available. Then check in that array if the class/function is allowed. Or you could make the methods private or public and use [is_callable](http://php.net/manual/en/function.is-callable.php) to check that. – machineaddict Aug 06 '14 at 13:13
  • 1
    That was my initial thought, I guess that's it? I just didn't like it cause of the 2 tiers (check classes then check 2nd level array for that classes functions) – Ozzy Aug 06 '14 at 13:14
  • I think your concept is so wrong it creates problems that should not never exist in the first place. Mapping URIs to functions is a tried and tested technique in many MVC frameworks. These also provide possibilities for ACL integration etc, why reinvent the wheel? why insist on using straight pieces to make a round object? – NDM Aug 06 '14 at 13:34
  • 1
    You might find [**this answer**](http://stackoverflow.com/a/9685039/727208) useful. – tereško Aug 06 '14 at 13:43
  • @NDM I'm just learning about this now :). Do you mean my concept of not using a pre-existing software? – Ozzy Aug 06 '14 at 13:49
  • 1
    you could have a look at the symfony of zend framework "Routers". I'll post an answer. – NDM Aug 06 '14 at 13:51
  • @NDM why the hell would one use a router for access control?!? Have you never heard about *Single Responsibility Principle*? – tereško Aug 07 '14 at 04:40
  • you can inject an ACL service into the router, or you could us the router's events to perform ACL checks. responsibilities are still separated, only integrated... – NDM Aug 07 '14 at 08:34

1 Answers1

1

You could have a look at how the popular PHP frameworks like Zend or Symfony handle this standard problem.
They have though a lot about it already, and their implementation is tested by thousands of users.
Both Zend and Symfony components should be usable standalone.

Zend Framework 2 Router: http://framework.zend.com/manual/2.0/en/modules/zend.mvc.routing.html

Symfony 2 Router: http://symfony.com/doc/current/book/routing.html

NDM
  • 6,731
  • 3
  • 39
  • 52
  • Thanks, will have a look – Ozzy Aug 06 '14 at 13:58
  • 1
    It may seem daunting and complicated, but the basic concept is simple. Once you grasp that you can still build a lightweight alternative using those tried and tested concepts. – NDM Aug 06 '14 at 13:59