I think the practice in ZF is going to be:
- do Access Control that uses centralized data with preDispatch()
- do Access Control that uses data distributed in the Actions with preRun()
The Front Controller does everything internally, including these
Filters. I would still prefer to remove as much as possible outside and
use Intercepting Filter style. Then you don't have to do the checks
unless you want to. You'd still need preRun/postRun inside the Front
Controller because they are inside the instantiate/forward loop.
Inverting it would get rid of all the Plugin/PluginBroker overhead and
provide the same functionality.
Michael Sheakoski wrote:
Hello everyone,
I'm working on an app which protects certain areas with a
username/password. I was wondering if I could get some "best
practice" opinions on where the best place to perform this checking
would be? Currently I have it as follows:
In index.php I have session_start() to init the session.
In IndexController I have a preRun() method (see MVC refactoring
proposal) that gets executed before the action. It contains something
like:
if (!$_SESSION['authenticated']) {
$this->forward('auth', 'logonForm');
}
And then AuthController takes care of the logonAction, logoffAction,
and logonFormAction
--------------------
Of course this is only one way to do it. I could do the checking in
index.php, or in a FrontController plugin too, etc... My main thing
is to try and minimize the amount of code repeated. In my current
method I would have to duplicate the same code in the preRun() method
of every ActionController.
Look forward to hearing some opinions,
-Michael
