In the controller or model to check access rights?

O

Optimus2017-08-23 17:49:14

PHP

Optimus, 2017-08-23 17:49:14

We have a router and a site structure of the form url/controller/action
To the address of the form url / user / add (add a user) everyone should have access
To the address of the form url / user / 11 (view the user) only the user himself
To the address of the form url / user / del (delete user) only site administrator
If this is not a framework where RBAC and other features are implemented, but a self-written system - where is it more correct to check access rights to this page?
There are 2 levels of verification - this is a guest / user (it can be seen from the session), and if the user then needs to go to the database to find out his rights, then this should be done by the model (the controller should not go to the database)?
The concept of middleware from laravel also attracts, where something can be checked even before the desired controller is defined, but it’s not clear where to save the results of checking the request by the intermediary, pass it on to all created objects explicitly, or put it in the session?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

E

evnuh, 2017-08-23
Pyan @marrk2

Check in middleware / pre-controller hook / whatever you call it. Save the user in the context of this request, pass the context to all hooks / middleware / controllers / view