Authentication and Users

EMPS has a built-in authentication system based on PHP sessions backed by a MySQL session store. The auth object is available globally as $emps->auth.

How It Works

Every visitor with cookie support gets a PHP session (stored in the e_phpsessions database table, not on the filesystem).
On successful login, a row is inserted into e_sessions and its ID is stored in $_SESSION['session_id'].
On every subsequent request, handle_logon() reads that ID, looks up the session row, and sets $emps->auth->USER_ID to the authenticated user's ID.
Any controller can then call $emps->auth->credentials(...) to check access.

The auth system is initialized automatically by EMPS on every request — you do not need to call check_session() manually in your controllers.

Checking Access in Controllers

`credentials($groups)`

Returns true if the current user belongs to the specified group(s).

// Allow only logged-in users
if ($emps->auth->credentials("users")) {
    // show user content
} else {
    $emps->deny_access("LoginNeeded");
}

// Allow only admins
if ($emps->auth->credentials("admin")) {
    // admin-only logic
} else {
    $emps->deny_access("AdminNeeded");
}

// Allow users in group "manager" OR "admin"
if ($emps->auth->credentials("manager,admin")) {
    // ...
}

// Allow users NOT in group "blocked"
if ($emps->auth->credentials("!blocked")) {
    // ...
}

The special group name "users" checks that the user is logged in and active (i.e. their status field in e_users is 1). Other group names refer to rows in the e_users_groups table.

`USER_ID`

The integer ID of the currently logged-in user, or 0 / unset if not logged in.

$user_id = $emps->auth->USER_ID;
if ($user_id) {
    // user is authenticated
}

`json_user($user_id)`

Returns a user array safe to send to the browser — the password field is removed. Use this in JSON responses that include user data.

$emps->json_ok([
    'user' => $emps->auth->json_user($emps->auth->USER_ID)
]); exit;

Denying Access

$emps->deny_access("AdminNeeded");

This sets the $reason Smarty variable and displays the access-denied template. Always add a ; or return after it — deny_access does not call exit.

The conventional pattern:

if ($emps->auth->credentials("admin")) {
    // ... all the module logic ...
} else {
    $emps->deny_access("AdminNeeded");
}

Login / Logout Flow

EMPS handles the standard login form and logout link automatically through handle_logon(), which is called during bootstrapping.

Login Form

Post to any page with these fields:

<form method="POST">
    <input type="hidden" name="post_login" value="1">
    <input type="text" name="login_username">
    <input type="password" name="login_password">
    <button type="submit">Login</button>
</form>

On success, EMPS creates an e_sessions row and redirects back to the same URL. On failure, $_SESSION['login']['error'] is set to one of: "no_user", "wrong_password", "no_activation", "blocked".

In a Smarty template:

{{if $login.error == "wrong_password"}}
    <p class="has-text-danger">Wrong password.</p>
{{/if}}

Logout Link

Append ?logout=1 to any URL:

<a href="./?logout=1">Log out</a>

User Groups

Users can belong to named groups stored in e_users_groups. Groups are project-specific strings — you define them yourself. Common conventions:

root      — full admin plus access to /admin-users/ (user management)
admin     — full administrative access
manager   — elevated access to specific sections
users     — any authenticated user (special: checked against e_users.status)

Groups support context (website) isolation: the same user can have different groups on different EMPS sub-websites sharing the same database.

Assigning a User to a Group

$emps->auth->add_to_group($user_id, "manager");

Checking Group Membership for Any User

// Check if user 42 is an admin
if ($emps->auth->user_credentials(42, "admin")) { ... }

Database Tables

Table	Purpose
`e_users`	User accounts (`id`, `username`, `password`, `status`, `firstname`, `lastname`, `fullname`, ...)
`e_sessions`	Active EMPS sessions (`id`, `user_id`, `ip`, `dt`, ...)
`e_users_groups`	Group membership (`user_id`, `group_id`, `context_id`)
`e_actkeys`	Email activation keys
`e_phpsessions`	PHP session store (replaces filesystem sessions)

OAuth

Note: The built-in OAuth implementation in EMPS6 was carried over from EMPS 4.5 and has not been actively maintained. It is not recommended for new projects — its provider integrations may be outdated, and the code is a candidate for deprecation.

For projects that need social login, the recommended approach is to implement OAuth at the project level using a current library (e.g. via Composer) and wire it into the EMPS auth system by calling $emps->auth->create_session() once the provider has authenticated the user.

Smarty Variables

After handle_logon() runs, the $login Smarty variable is available in all templates:

{{if $login.status == 1}}
    Welcome, {{$login.user.fullname}}!
    <a href="./?logout=1">Log out</a>
{{else}}
    <a href="/login/">Log in</a>
{{/if}}