Need to access same boolean result in all layers of web dev abstraction
I am designing a web site, and it has the ability to log in. When someone is logged in, there is at times a need to know what group t开发者_高级运维hey're in. Specifically, whether they are in the officer
group. Currently, I have a MySQL stored proc BOOL is_officer(INT id)
, where id
is the user id number.
My question: Is it wise to make a PHP function in my library (bool) is_officer()
, which uses $_SESSION['id']
and calls the MySQL stored proc?
Next, is it wise to make a page /ajax/is_officer.php
, which would call the function in PHP, which would in turn call the MySQL stored proc, in case I need to (insecurely) know whether the user is an officer on-the-fly?
(Last would be making a JS function is_officer()
which would send an AJAX request to is_officer.php
).
tl;dr: Same function name in many languages, one calls another, closer and closer to the database -- good idea or bad idea?
I'm basically asking for your guidance here -- sort of a communal yay/nay vote. Does this match any design patterns you've seen in the past?
This seems way too specialized a function to have. With this approach, you'll eventually accumulate a set of functions on various levels for each trivial bit of information. Also, making a roundtrip to the database can quickly become very wasteful.
I'd prefer to store relevant information about the logged in user in a session. Something along the lines of this:
if (/* user logged in successfully */) {
$user = $Db->getUserInfo($id);
// $user = array('id' => 1, 'name' => 'Foo', 'officer' => true, ...)
$_SESSION['user'] = $user;
}
And whenever you need to know if the user is an officer, you just check for $_SESSION['user']['officer']
.
You can send the value of is_officer
to the web page upon successful login and set a cookie there. That way you don't have to make a server call every time you want to check if the user is officer or not.
Use this cookie value only to make client side customizations (like UI modifications) based on if the user is officer or not; when a request arrives at the server, do confirm that the request is in fact from an officer using the php/mysql-stored procedure. Never trust the data sent from client - it can be manipulated.
精彩评论