The Trongate Security Module

The Trongate_security module provides a centralized way to handle authorization across your application using scenarios.

Instead of scattering security checks throughout your codebase, you call one method and let it route to the appropriate handler:

This approach keeps your security logic organized, consistent, and easy to maintain.

What Are Scenarios?

A scenario is a named security context that describes what access control rules should apply.

Examples of scenarios:

• 'admin panel' - Only administrators can access
• 'members area' - Any logged-in member can access
• 'read comment' - Anyone can access (public)
• 'edit comment' - Only comment owner or admin can access
• 'premium content' - Only premium subscribers can access

Each scenario routes to a specific module that knows how to handle that particular type of access control.

How It Works

The Trongate_security module uses a switch statement to delegate scenarios to appropriate modules. The default scenario handles admin panel access by checking for a valid token with user level 1:

In development mode (ENV === 'dev'), the login module provides convenience features to streamline development. In production, unauthenticated users are always redirected to the login page at login/login.

The Default Scenario

If you do not specify a scenario, it defaults to 'admin panel':

Both check for a valid token with user level 1 (administrators) and redirect to login/login if none is found.

Return Values: Flexible by Design

The make_sure_allowed() method is intentionally open-ended. It can return:

• String — The validated token
• Boolean — true for public access, false for denied
• Object — Complete user object with permissions
• Array — Custom data structure with multiple values
• Nothing — Can redirect or die instead of returning

The return type depends on what your scenario needs. You decide.

Example: Discussion Forum

Let us build a hypothetical discussion forum accessible by the public, with special privileges for admin users and member users.

The Requirements

• Read comments — Open to anyone (no authentication)
• Create comments — Must be a logged-in member
• Edit/delete comments — Must be the comment owner OR an admin

Trongate_security.php

Add forum scenarios to the switch statement:

Members.php

The members module handles complex ownership checks:

Forum_comments.php (Controller)

Using the scenarios in your controller:

Using $this->login->make_sure_allowed() Directly

In your own controllers, you can also call the login module directly to check authentication without going through the security module:

The login->make_sure_allowed() method checks the token, validates the user level, and returns the token string if valid, or false if not. In development mode, it provides convenience features; in production, it always requires proper authentication.

The $params Array

The optional $params array allows fine-grained control:

Pass any data your scenario needs to make authorization decisions.

Building Your Own Scenarios

To add custom scenarios:

1. Open Trongate_security.php
2. Add a new case to the switch statement
3. Either handle inline OR delegate to another module
4. Return appropriate value (token, boolean, object, etc.)

Example: Premium Content

Why Scenarios Win

• Centralized security logic — All authorization in one place
• Consistent patterns — Same method call everywhere
• Easy to audit — Review security in one file
• Flexible delegation — Complex logic lives in appropriate modules
• Testable — Mock scenarios for unit tests

Common Patterns

Pattern 1: Public Access

Pattern 2: Simple Member Check

Pattern 3: Delegate to Module