Please can you advise me on the best way to implement user permissions within PHP to control what a user can do within the database application?
I have created a PHP application with a MYSQL database. The database has a number of tables (such as Person, UserAccounts, Accommodation, Education etc..). In its simplest form the PHP pages display data from a table and through links to associated pages allows user to delete/edit information in the table.
I would like to implement permission/access rights to control what the user can do when they log-in i.e. View Data, Edit or Delete Records. I already have a user registration/log-in system through PHP where the user accounts and passwords etc are held in the 'UserAccounts' Table.
What currently happens is:
The user logs in and their ‘id’ is held in a session variable.
The user accesses the required PHP query results page for the required table – let’s say ViewPeople.php which queries table ‘Person’ and shows the results.
From here is seems like the best way to implement permissions is:
Add details to the users record in the ‘UserAccount’ table which specified each users access level (view, edit, delete) for a given table. .
Run a query at the beginning of each page (say the ViewPeople.php page) which return the users access level. .
Through a series of ‘IF’ statements in the page, using the previous query results show or hide the appropriate links (such as edit person, delete person etc..) as appropriate.
This method seems inefficient as it would require a query at the beginning of each page and several IF statements within the page to control what the user sees.
An alternative solution may be to load different copies of the page depending on the users access level, each with different links shown. This would again be inefficient and an admin overhead, requiring many copies of a page to be modified for a single change.
How is this normally done? Any advise or suggestions are gratefully received.
Thanks