I've been using Fat Free Framework 3.6 for a while and I'm having some trouble making sure of a few things related to the variables used; also please note that I'm not that knowledgeable as a PHP programmer. Here are some examples (I'm using a few "shortcut" methods for the SQL mapper, but I guess it's still readable):
function testroute() {
// Q1 - Using f3-access to authorize a logged in user to advance on a route
$this->access->authorize($this->f3->get('SESSION.user.group_id'));
// Q2 - Change the f3 UPLOADS variable
$this->f3->update('UPLOADS', '/different/location');
// Q3 - Instantiante Users and User Groups from DB
$users = new User($this->db);
$userGroups = new UserGroups($this->db);
// Load all records to array
$arrayOfUsers = $users->all();
$arrayOfUserGroups = $userGroups->all();
// Make the arrays available to the template
$this->f3->set('arrayOfUsers', $arrayOfUsers );
$this->f3->set('arrayOfUserGroups', $arrayOfUserGroups );
// Render the View
$this->f3->set('view','content.test.htm');
$template=\Template::instance();
echo $template->render('layout.sidebar.htm');
}
Considering the example code above:
SESSION.user.group_id variable be tampered with/exploited by a logged in user, changing the value stored for its usergroup? If so, what is the/a more secure way of doing things like this, like having a isAdmin flag set at login? UPLOADS variable makes it different for the entire hive (i.e. all users), or is the change only for the current user?Within the template, is there a way of using the group_id value of a given user to get a different key of the related userGroup, like it's slug? In the example below, I'm trying to avoid looping through @arrayOfGroups and for that I tried using array_search, but it returns empty (actually it returns the slug for id=0), i.e.:
<include href="{{ 'navbar.htm' }} />
<repeat group="{{ @arrayOfUsers }}" value="{{ @item }}" >
<tr class="">
<td>{{ @item.username }}</td>
<td>{{ @item.usergroup_id }}</td>
<td>{{ @arrayOfUserGroups[array_search(@item.usergroup_id].slug }}</td>
</tr>
</repeat>
In the last example, I have an <include> reference for a nav bar, which in turn will have <li></li> elements for the nav items. What is the appropriate way of, using this testroute() controller, apply <li class="active"></li> to a specific item?
Cheers
Question #1: can a logged in user change its group?
No, a user cannot directly modify the contents of SESSION (unless you've provided him a way to do so). The only thing that can be exploited is the access itself, if the session id gets stolen (aka "session hijacking" cf. here or there).
Now, for the sake of flexibility, you'd better save the bare minimum inside SESSION. Storing the user group in the session prevents your from being able to dynamically change the group of a logged in user (the change will take effect on the next login). I'd rather advise to only store the user id and retrieve the group from it.
Question #2: Does changing the UPLOADS variable makes it different for the entire hive (i.e. all users), or is the change only for the current user?
Only for the current user.
NB: the entire hive is "only for the current user". Only cached variables are shared.
Question #3: How to retrieve a specific group from $arrayOfUserGroups?
$arrayOfUserGroups is computed from $userGroups->all() which I guess is the result of the DB\SQL\Mapper->find() method. That method doesn't index the results by id, only by order of appearance in the SQL output.
So one way to fix your issue would be to reindex the result before returning it. Something like:
function all() {
$groups=$this->mapper->find('');
$all=[];
foreach ($groups as $group)
$all[$group->id]=$group;
return $all;
// or if you prefer a one-liner:
return array_combine(array_map(function($g){return $g->id;},$groups),$groups);
}
Now in your template:
{{ @arrayOfUserGroups[@item.usergroup_id].slug }}
Question #4: how to activate a nav item?
There are various ways to achieve this, and it depends on several factors like the navbar hierarchy depth, your routing structure (naming convention for URLs or aliases, static or dynamic routes), etc.
So I'll assume you're using a basic navbar with one level of hierarchy, no alias, and no dynamic route. In that case, you could hold the list of nav items (paths+labels) in one variable and compare them with the current PATH. E.g:
<repeat group="@navItems" value="@item">
<li class="{{ @item.path==@PATH ? 'active' : '' }}">
<a href="{{ @item.path }}">{{ @item.label }}</a>
</li>
</repeat>