Roles and Permissions

Bonfire uses a Role-Based Access Control (RBAC) system for its authentication and authorization system. This provides enough granularity and flexibility for most situations, though may not be suitable for every website.

Stock Roles

Bonfire ships with 4 roles by default. They are Administrator, Developer, Editor, and User. Each of these roles has some basic access provided, though you will need to ensure that they all have the appropriate permissions for your site. While their names assume certain capabilities within the site, they can all be changed as needed, though we do highly suggest that Administrator remains unchanged.

Administrator

The Administrator is the highest level user of the site. This is often the client that you are creating the site for. This is the 'owner' of the site and, as such, is typically given the most power of the site operators. By default, Bonfire provides this role with permissions over the entire site.

Developer

While the Administrator is the owner of the site, there are still some tools that Bonfire provides that they will never need, like the Module Builder, Translation tools, etc. The Developer role was created to keep the dangerous tools away from the other users of the site, while still providing powerful tools for the development and maintenance process.

Editor

Editors will typically be the staff hired by the Administrator to handle the day to day operations of the site. They will have a lot of capability, but there are still some sensitive areas that the Administrator might not want them to have access to.

User

This is the default role that anyone registering to the site is given. As such, it will typically have very limited rights to most of the site.

Creating New Roles

New roles are easily created within the admin panel by navigating to Settings / Roles and then selecting New Role in the navigation bar. The elements of the form are:

  • Role Name - The name of the role as you want it to appear to users. It should be one word, with no spaces, though you can use underscores in their place.
  • Description - This field is primarily used on the Roles overview page, but can be used by yourself throughout your template when needed.
  • Login Destination - This is the relative path that a user is directed to when they login. For example, you can force all admins to be directed to the main admin page by setting this value to /admin. Alternatively, you could have Users be directed to their own dashboard or account management page by entering the appropriate relative URL here.
  • Default Admin Context - When a user logs into the admin area, this allows you to set the context they are directed to, like /admin/content The Settings and Developer contexts are unavailable for selection here.
  • Default Role - The role assigned to new users when they register at the site. By selecting it here, it will be removed from any other role that currently has it.
  • Removable? - Allows you to provide access to roles other than the Admistrator, while not giving them the power to delete certain roles, keeping them safe from accidents or malicious actions. If this is set to 'Yes', then anyone with the Bonfire.Roles.Delete permission can delete this role.

When you first create a role, no permissions will be shown. You can go back and edit the permissions available to the role by selecting the Role from the Role overview page, or by editing through the Permission Matrix.

Permissions in Bonfire

Permissions in Bonfire are modeled after the excellent and easily-understandable permission naming system in Vanilla Forums. Permissions are described in 3-part, human-readable formats that allow for nearly any type of permission to be created. This allows both the admin screens and your code to maintain a high degree of readability.

Permission Names

Permission names are split into three parts, separated by periods.

Core Bonfire permissions use the following naming convention (Site is always used as the first part):

Site.Action.Permission
e.g. Site.Signin.Allow

Modules included with Bonfire use the following naming convention (Bonfire is always used as the first part):

Bonfire.Module.Action
e.g. Bonfire.Roles.View

In application modules (e.g. modules you create or those created by the Code Builder) the names should follow this convention:

Module.Context.Action
e.g. Blog.Content.View
  • Module is typically the name of your module, or a portion of it.
  • Context is typically the name of the context, e.g. Content, Reports, Settings, or Developer.
  • Action is a single action that can be checked. Common actions are Manage, View, Edit, and Delete.

The permission naming convention can be changed to meet your requirements, but it is recommended that you use this format to prevent conflicts.

To be safe in naming custom permissions, the use of Bonfire or Site in the first region of the permission name should be considered reserved. If you choose to use Site in the first region for a custom permission, you should consider using an identifier in the second region which will be suitably unique to your site.

Creating Permissions

New permissions can easily be created through the Admin UI by navigating to Settings / Permissions. This screen will provide a list of all existing permissions as well as the option to create new ones.

Each permission has the following three properties...

  • Name is the permission itself, following the naming scheme outlined above.
  • Description is a short string describing the permission and its use. This is only used for display in the Permissions overview page.
  • Status allows permissions to still be available in the system, but not to actually be used. This can be used as a placeholder for in-development features.

Assigning Permissions

Permissions can be assigned to roles through the Edit Role screen. Alternatively, they can be assigned to all roles at once by viewing the Permission Matrix, available from both the Roles and Permissions screen.

Restricting Access

The Auth library provides several useful methods to restrict access, or check access, from any place in your application. If not already loaded, you can load the Auth library with the following code:

$this->load->library('users/auth');

restrict()

The restrict() method can be used to protect an entire method or even class. If used without any parameters, it will simply verify that the user is logged in. If they are not, it will redirect them to the login page.

$this->auth->restrict();

You can require that a user has a certain Permission granted by passing the name of the permission as the first parameter. You do not have to match the case of the original permission string, as it will be converted to lowercase prior to checking.

$this->auth->restrict('Bonfire.Users.Manage');

If a user does not have the required permission granted to them, they will be directed to their previous page. You can change the URI they are redirected to by passing it in as the second parameter. This can be either a relative or full URI path.

$this->auth->restrict('Bonfire.Users.Manage', '/get-outtat-here.html');

is_logged_in()

You can check if a user is logged in with the is_logged_in() method. This can be used in your own controller and libraries, as well as in your views to display different information to logged in and logged out users.

if ($this->auth->is_logged_in()) {
    . . .
} else {
    . . .
}

Note that the first time in a session that this function is called, it will verify their identity stored in the session matches their hashed password information in the database. It then sets a flag that can be used for later checks to increase performance, while still maintaining a high level of security.

has_permission()

The has_permission() method allows you to check if the current logged-in user has a specified permission. You pass the name of the permission to check in as the first parameter.

if (! has_permission('Bonfire.Users.Manage')) {
    . . .
}

permission_exists()

This function allows you to quickly check whether a permission exists in the databse or not. Simply pass in the permission name to check as the first parameter.

if (permission_exists('Bonfire.Users.Manage')) {
    . . .
}

Passwords

While passwords are generally managed through the users module, the auth library includes a couple of basic functions for password management.

check_password()

The check_password() method allows you to verify that a given password matches a password hash.

if ($this->auth->check_password('password to check', 'HashedPassword')) {
    // The passwords match
    ...
}

hash_password()

The hash_password() method allows you to hash a password with an optional number of iterations (if not supplied, the site's password_iterations setting will be used). This should not be used to check a password, since hashing the same password again won't match a stored hash.

$password = $this->auth->hash_password('password');
$hash = $password['hash'];
$iterations_used = $password['iterations'];

Note that although the number of iterations used in hashing the password is returned by this method, it can be safely ignored. The primary use of the returned value would be to check whether the hash_password() method is accepting your input (or using the config value instead) in debugging, since the PasswordHash library stores the number of iterations in the hash and only uses the value in the hash when checking a password.

Profiler
Profiler Console 0 Load Time 11.6ms Memory Used 1.07 MB Database 4 Queries vars & Config Files 87

Console

Memory Usage

Benchmarks

1 ms Loading Time: Base Classes
9 ms Controller Execution Time ( Docs / Index )
12 ms Total Execution Time

Queries

0.0002 SELECT GET_LOCK('e78734fd83f83c293e7d51102c5d02cc5c1d82c6', 300) AS ci_session_lockSpeed: 0.0002 - Possible keys: - Key Used: - Type: - Rows: - Extra: No tables used
0.0002 SELECT `data` FROM `bf_ci3_sessions` WHERE `id` = 'e78734fd83f83c293e7d51102c5d02cc5c1d82c6'Speed: 0.0002 - Possible keys: - Key Used: - Type: - Rows: - Extra: no matching row IN const table
0.0003 SHOW TABLES FROM `remytek`
0.0002 SELECT * FROM `bf_settings`Speed: 0.0002 - Possible keys: - Key Used: - Type: ALL - Rows: 37 - Extra:
0.0010 Total Query Execution Time

Session User Data

__ci_last_regenerate 1537483078
requested_page http://remytek.com/index.php/docs/developer/roles_and_permissions
previous_page http://remytek.com/index.php/docs/developer/roles_and_permissions

GET DATA

No GET data exists

POST DATA

No POST data exists

URI STRING

docs/developer/roles_and_permissions

CLASS/METHOD

docs/index

HTTP HEADERS

HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_USER_AGENT CCBot/2.0 (https://commoncrawl.org/faq/)
HTTP_CONNECTION Keep-Alive
SERVER_PORT 80
SERVER_NAME remytek.com
REMOTE_ADDR 54.158.52.166
SERVER_SOFTWARE Apache/2.4.18 (Ubuntu)
HTTP_ACCEPT_LANGUAGE
SCRIPT_NAME /index.php
REQUEST_METHOD GET
HTTP_HOST
REMOTE_HOST
CONTENT_TYPE
SERVER_PROTOCOL HTTP/1.1
QUERY_STRING
HTTP_ACCEPT_ENCODING gzip
HTTP_X_FORWARDED_FOR

CONFIG VARIABLES

base_url http://remytek.com/
index_page index.php
uri_protocol AUTO
url_suffix
language english
charset UTF-8
enable_hooks true
subclass_prefix MY_
composer_autoload false
permitted_uri_chars a-z 0-9~%.:_-
allow_get_array true
enable_query_strings false
controller_trigger c
function_trigger m
directory_trigger d
log_threshold 0
log_path /var/www/clients/client2/web2/bonfire/application/logs/
log_file_extension
log_file_permissions 420
log_date_format Y-m-d H:i:s
error_views_path
cache_path /var/www/clients/client2/web2/bonfire/application/cache/
cache_query_string false
encryption_key a9ff89765e5fc8a4ee203140cfff9400
sess_cookie_name bf_session
sess_expiration 7200
sess_time_to_update 300
sess_match_ip false
sess_expire_on_close false
sess_encrypt_cookie false
sess_use_database false
sess_table_name sessions
sess_match_useragent true
sess_driver database
sess_regenerate_destroy false
sess_save_path ci3_sessions
cookie_prefix
cookie_domain
cookie_path /
cookie_secure false
cookie_httponly false
standardize_newlines false
global_xss_filtering false
csrf_protection true
csrf_token_name ci_csrf_token
csrf_cookie_name ci_csrf_token
csrf_expire 7200
csrf_regenerate true
csrf_exclude_uris Array ( )
compress_output false
time_reference utc
rewrite_short_tags false
proxy_ips
bonfire.installed 1
site.default_user_timezone UM8
modules_locations Array ( [/var/www/clients/client2/web2/bonfire/application/modules/] => ../../application/modules/ [/var/www/clients/client2/web2/bonfire/bonfire/modules/] => ../../bonfire/modules/ )
site.backup_folder archives/
contexts Array ( [0] => content [1] => reports [2] => settings [3] => developer )
enable_activity_logging true
sparks_path ../sparks/
template.site_path /var/www/clients/client2/web2/web/
template.theme_paths Array ( [0] => themes )
template.default_layout index
template.ajax_layout ajax
template.use_mobile_themes false
template.default_theme default/
template.admin_theme admin
template.message_template <div class="alert alert-{type} alert-dismissable"> <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> <div>{message}</div> </div>
template.breadcrumb_symbol :
template.parse_views false
assets.directories Array ( [base] => assets [cache] => cache [css] => css [image] => images [js] => js [module] => module )
assets.js_opener $(document).ready(function() {
assets.js_closer });
assets.css_combine false
assets.js_combine false
assets.css_minify true
assets.js_minify true
assets.encrypt_name false
assets.encode false
assets.base_folder assets
assets.asset_folders Array ( [css] => css [js] => js [image] => images )
ui.current_shortcuts Array ( [form_save] => Array ( [description] => Save any form in the admin area. [action] => $("input[name=save]").click();return false; ) [create_new] => Array ( [description] => Create a new record in the module. [action] => window.location.href=$("a#create_new").attr("href"); ) [select_all] => Array ( [description] => Select all records in an index page. [action] => $("table input[type=checkbox]").click();return false; ) [delete] => Array ( [description] => Delete the record(s). [action] => $("#delete-me.btn-danger").click(); ) [module_index] => Array ( [description] => Return to the index of the current module. [action] => window.location.href=$("a#list").attr("href"); ) [goto_content] => Array ( [description] => Jump to the Content context. [action] => window.location.href=$("#tb_content").attr("href") ) [goto_reports] => Array ( [description] => Jump to the Reports context. [action] => window.location.href=$("#tb_reports").attr("href") ) [goto_settings] => Array ( [description] => Jump to the Settings context. [action] => window.location.href=$("#tb_settings").attr("href") ) [goto_developer] => Array ( [description] => Jump to the Developer context. [action] => window.location.href=$("#tb_developer").attr("href") ) )
emailer.write_to_file false
migrate.auto_core false
migrate.auto_app false
commonmark.valid_drivers Array ( [0] => Parsedown [1] => Markdown [2] => MarkdownExtra [3] => LeagueCommonMark )
commonmark.driver MarkdownExtended
docs.theme docs
docs.default_group developer
docs.show_dev_docs true
docs.show_app_docs true
docs.toc_file _toc.ini
docs.permitted_environments Array ( [0] => development [1] => testing [2] => production )

Files

application.php
/var/www/clients/client2/web2/bonfire/application/config/application.php
autoload.php
/var/www/clients/client2/web2/bonfire/application/config/autoload.php
config.php
/var/www/clients/client2/web2/bonfire/application/config/config.php
constants.php
/var/www/clients/client2/web2/bonfire/application/config/constants.php
database.php
/var/www/clients/client2/web2/bonfire/application/config/database.php
events.php
/var/www/clients/client2/web2/bonfire/application/config/events.php
hooks.php
/var/www/clients/client2/web2/bonfire/application/config/hooks.php
mimes.php
/var/www/clients/client2/web2/bonfire/application/config/mimes.php
profiler.php
/var/www/clients/client2/web2/bonfire/application/config/profiler.php
routes.php
/var/www/clients/client2/web2/bonfire/application/config/routes.php
Base_Controller.php
/var/www/clients/client2/web2/bonfire/application/core/Base_Controller.php
MY_Model.php
/var/www/clients/client2/web2/bonfire/application/core/MY_Model.php
App_hooks.php
/var/www/clients/client2/web2/bonfire/application/hooks/App_hooks.php
application_lang.php
/var/www/clients/client2/web2/bonfire/application/language/english/application_lang.php
Profiler.php
/var/www/clients/client2/web2/bonfire/application/libraries/Profiler.php
Base.php
/var/www/clients/client2/web2/bonfire/application/third_party/MX/Base.php
Config.php
/var/www/clients/client2/web2/bonfire/application/third_party/MX/Config.php
Controller.php
/var/www/clients/client2/web2/bonfire/application/third_party/MX/Controller.php
Lang.php
/var/www/clients/client2/web2/bonfire/application/third_party/MX/Lang.php
Loader.php
/var/www/clients/client2/web2/bonfire/application/third_party/MX/Loader.php
Benchmark.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Benchmark.php
CodeIgniter.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/CodeIgniter.php
Common.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Common.php
Config.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Config.php
Controller.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Controller.php
Hooks.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Hooks.php
Input.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Input.php
Lang.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Lang.php
Loader.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Loader.php
Log.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Log.php
Model.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Model.php
Output.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Output.php
Router.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Router.php
Security.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Security.php
URI.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/URI.php
Utf8.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/Utf8.php
hash.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/compat/hash.php
mbstring.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/compat/mbstring.php
password.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/compat/password.php
standard.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/core/compat/standard.php
DB.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/database/DB.php
DB_driver.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/database/DB_driver.php
DB_query_builder.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/database/DB_query_builder.php
DB_result.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/database/DB_result.php
mysqli_driver.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/database/drivers/mysqli/mysqli_driver.php
mysqli_result.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/database/drivers/mysqli/mysqli_result.php
directory_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/helpers/directory_helper.php
form_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/helpers/form_helper.php
language_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/helpers/language_helper.php
url_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/helpers/url_helper.php
profiler_lang.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/language/english/profiler_lang.php
Cache.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/libraries/Cache/Cache.php
Cache_dummy.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/libraries/Cache/drivers/Cache_dummy.php
Driver.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/libraries/Driver.php
Session.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/libraries/Session/Session.php
Session_driver.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/libraries/Session/Session_driver.php
Session_database_driver.php
/var/www/clients/client2/web2/bonfire/bonfire/ci3/libraries/Session/drivers/Session_database_driver.php
BF_Lang.php
/var/www/clients/client2/web2/bonfire/bonfire/core/BF_Lang.php
BF_Loader.php
/var/www/clients/client2/web2/bonfire/bonfire/core/BF_Loader.php
BF_Model.php
/var/www/clients/client2/web2/bonfire/bonfire/core/BF_Model.php
BF_Router.php
/var/www/clients/client2/web2/bonfire/bonfire/core/BF_Router.php
BF_Security.php
/var/www/clients/client2/web2/bonfire/bonfire/core/BF_Security.php
BF_directory_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/helpers/BF_directory_helper.php
BF_form_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/helpers/BF_form_helper.php
application_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/helpers/application_helper.php
config_file_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/helpers/config_file_helper.php
markdown_extended_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/helpers/markdown_extended_helper.php
markdown_helper.php
/var/www/clients/client2/web2/bonfire/bonfire/helpers/markdown_helper.php
Assets.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/Assets.php
CommonMark.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/CommonMark.php
CommonMarkDriver.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/CommonMark/CommonMarkDriver.php
CommonMark_MarkdownExtended.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/CommonMark/drivers/CommonMark_MarkdownExtended.php
Console.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/Console.php
Events.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/Events.php
Modules.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/Modules.php
Route.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/Route.php
Template.php
/var/www/clients/client2/web2/bonfire/bonfire/libraries/Template.php
docs.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/docs/config/docs.php
routes.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/docs/config/routes.php
Docs.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/docs/controllers/Docs.php
docs_lang.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/docs/language/english/docs_lang.php
_sidebar.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/docs/views/_sidebar.php
index.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/docs/views/index.php
Settings_lib.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/settings/libraries/Settings_lib.php
Settings_model.php
/var/www/clients/client2/web2/bonfire/bonfire/modules/settings/models/Settings_model.php
index.php
index.php
index.php
themes/docs/index.php