Hello, I would like to read some suggestions/thoughts on how to implement two (not so much) different Auth-systems ? Due to DB-Schema and the logic of the application, there are two "separate" layers: customers and staff/admins. I know, maybe not the best solution.
So there are two tables: 'customers' and 'staff'. There is no any relationship between those two tables.
- customers have no access to the admin panel and they shouldn't, same with the staff/admins
- customers have almost no limitations. No roles and no difficult access levels (only active/not-active/awaiting-confirmation)
- no registration! new customers will be created via admin-panel through users with corresponding access-levels / rights
- staff/admins have no access to the customer panel (via front-end)
- staff/admins do have different roles / access-levels. Staff have some limitations, admins have not (kind of a superuser)
I think, i should consider ACL, but there's not so much on this topic in the docs and I do not know how implement ACL for two different areas (customer and staff/admins)
What I've already done:
- Created "own" Auth (for the customers) on top of SimpleAuth (created separated config and Auth_Login_CustomerAuth class)
- own config file with all necessary info like table_name, table_columns, table_pk_column and so on...
Login works fine. Updating/Altering customer-data too!
Now is the time to create Auth for Staff/Admin. My first thought was creating another Auth_Login_BackEndAuth class which also extends \Auth_Login_Driver.
But for me, it seems to be kind of wrong, so i decided to ask pros for any advice/thoughts/suggestions
There was a discussion about this recently, you might want to search for it.
As I recall, due to the static nature of a lot of Auth stuff, it was very complex to have two Auth systems running in parallel. It was simply not designed for it. But I think that person made it work, I remember pushing some fixes for him. You might have to use 1.8/develop though.
Having said that, I wouldn't do it.
We have several applications using a similar separation. We use groups to identify these user groups ('clients', 'staff'). When they login they are redirected to either the client or the staff dashboard (two different modules) based on their group membership. These modules use different themes, so the look- and feel is different for both.
Roles are used to assign permissions within the system. If you mark roles with a type (client, staff, etc) you could make sure only the correct roles can be selected (based on the group of the user you are editing), which will give you the separation you want.
Big plus is that the system will be a lot less complex, and whenever there is a need to give a staff member access to parts of the client section, you can do so, a client controller doesn't need to check permissions in two systems.
We have a few apps where it is even more complex, because the same person is both staff and client. So we have introduced a "function" feature, where when a user logs in, he has to select if he wants to login as a client or a staff member. Two different accounts was not an option, the client uses smartcards to login.
My first thought was something similar, but then i got stuck with parallel auth. Should i enable 'multiple_login' somewhere in conf ?
As of documentation, I created "Controller_Base" wich handels (checks) Auth in before() method for every controller, that extends this "Base" -> works fine.
Let's concider following example: Customer has already logged in and can now access the customer-area in front-end. (currently implemented)
Now an url myApp.dev/admin/ is requested and, like in previous example, some Controller_Admin_Base class should take care of checking auth-state, whereas it's not a customer ...
So the solution would be, to pass an driver-name param to \Auth:check('back-end') and then i could optimize Auth_Login_CustomerAuth->perform_check() and Auth_Login_AdminAuth->perform_check() methods to suite my needs, right?!
The main problem is - two different tables and i do not get how to implement only one Auth_Login_myCustomAuthClass which can handle both authentications at the same time....
"multiple_logins" means the same user logged in from multiple browsers, it has nothing to do with what you want.
There is no problem solving that with roles and permissions. If the user (a customer in this case) doesn't have a role assigned with gives him admin permissions, a call to has_access() will return false, and you can block access.
You can not simply use mutliple instances of Auth at the same time, not the same driver instance, not different driver instances. It is not designed for that usage. Try to find the person with the same question, and see how he got on.
<quote>There is no problem solving that with roles and permissions. If the user (a customer in this case) doesn't have a role assigned with gives him admin permissions, a call to has_access() will return false, and you can block access.</quote>
Yes, but that's possible only if I had one table (for login, email data) and a list (or another table) with permissions - and that's not the case..... or did I misunderstood something ?
P.S. I know, it's a silly to asking you, but can you give me some informations (keywords, approximate date of posting or something else), so I could find a guy, who has a similar question/problem? Is it in Auth-Thread ? A 2014 Question ?
Both Simpleauth (in a config file) and Ormauth (in tables) support roles and permissions. Ormauth has more features, such as one more permission level (Simpleauth has one, Ormauth has two), better action support, revocation of rights, etc. Ormauth also allows you to assign permissions to individual users.
I can't remember when it was, I think within the last two months, so quite recent.