How would you set up user permissions?

[lilwing]

Hello, I am going to put you through a hypothetical situation, parallel to the one I am in, and I would like for you to describe to me, what you would do to solve the crisis. You can include scripts, but I am just wondering, in a nutshell (a detailed nutshell) how you would go about doing so.

 

Say you had a customer who needed a completely new web design; they knew nothing about server side scripting, or HTML, or any web applications... They can fiddle around in frontpage, that's all. So they hire you, based on your portfolio. Let's just say for example, that this customer is a K-12 school who chose you over some ripoff Schoolcenter program. God I am sick of hearing that word.... anyway, you decide that the website should be dynamic, based on the things that they want on the website. So you configure their server to run the way you need it to, and then you begin designing the website.

 

After you come up with the static design of the pages, you kind of slack off a little. But with a few all-nighters of catching up, you're back on pace. Now you are ready to set up a content management system... unfortunately, not only does the school offer a budget large enough to purchase the content management system you'd like to use, you're stuck building your own. Let's just say you've only been working with PHP for 2 years, and you're between beginner/intermediate level.

 

You have lots of google magic and are able to quickly find tutorials and helpful resources along the way, and 80% of the way through the job, and you've done a pretty damn good job for your skill level. But then all of a sudden, your customer wants all kinds of different links on the website. They want each teacher to manage webpages for the classes they teach, and have department heads maintain their pages, and the school board wants their minutes archived, and all kinds of things that ruin your nice organized plan. Now all of a sudden you're not sure how to put together all that. You really have no idea how to assign certain pages to certain users, you don't know where to start with assigning classes to teachers, and it all seems very disorganized and now you're suddenly very overwhelmed.

 

But you can't give up. What do you do? If you are a PHP guru, what would you have told yourself? Are there any tutorials you would recommend to yourself?

 

The time is clicking and you begin to lose your mind from the overwhelming feelings. You begin spinning around in your office chair like a kid who was dragged along to bring-your-kid-to-work day.

 

Any ideas? Wish me luck?

 

And on top of this mess, I think I am coming down with a second case of the chicken pox.

[waynew]

At the very foundation of your user system (i.e, the user table), you could set up a certain type.

 

For instance,

 

Username: Bob Password: Etc Type: Admin

Username: Michelle Password: Etc Type: Teacher

 

Then, on the sessions of each page, check to see if such and such a user has the permission based on the type that is parrallel to their username.

 

With the timetable, you could basically create a table that is near or similar to it.

 

Hope that helps.  :-\

[waynew]

For example:

 

When the user logs in as Michelle, and she's a teacher that has only access to her time table and certain other stuff because she's not an admin.

session_start();
$user = $_POST['username']; //came in from login form.
$result = mysql_query("Select user_type from users where username = '$user') or die(mysql_error);

while($row = mysql_fetch_array($result)){
$_Session['type'] = $row['user_type'];
}

 

Now her type is registered in session.

 

Now imagine she's trying to enter a restricted page called admin.php At the start of the page:

 

session_start();

if($_Session['type'] != "Admin"){
header("Location : restricted.php"); //redirects if the user type isn't admin
}

 

Of course restricted.php will be an error message page or something that will tell her that she doesn't have access to that area.

 

Please excuse very basic example. Probably not the safest but it gives an idea.

[lilwing]

I actually considered that at one point. In fact, up until this morning, my users table had quite a few columns; email address, first name, last name, group, and so forth.

 

The problem I would bump into, though, is that it is so random and there is no order to anything. I would have to create a ton of databases, and since everybody kind of has a different number of pages under their control, there is no point in grouping.

 

... I honestly have no idea how some of you guys get by on this level.

[waynew]

Red bull and a packet of cigarettes.

[stublackett]

I've done something similar to what your after there

 

I had a login that had 3 levels of user

 

1 - Student

2 - Teacher

3 - Superuser

 

When the user logs in the session checks the database for userlevel of 1,2 or 3 if they are that level it directs them to their page and also opens relevant user menus

 

I can supply you my code if needs be, just gimme a shout

[lilwing]

Stublackett, how did you give teachers access to just their pages? That is what I am unsure about.

[Stephen]

What I use is:

In the category or board (i.e. Teacher page) in the mysql db you'd have like

read - write - make

 

Columns. Using stublacketts group numbers:

1 - Student

2 - Teacher

3 - Superuser

 

I'd put something like

read - write - make

2,3   - 2,3   - 2,3

 

That way only teachers and superusers can access it.

To seperate that I'd use explode(",",$read); - read being the variable with the read usergroup ids in it (from the table).

 

Then just use  foreach to check if the users groupid is that, and if it is set like $okay=1. Later, check "if $okay==1" then let them see the page.

 

Hope you can understand that

[DarkWater]

I'd personally use a bitmask to determine permissions. 

I.E:

Students have a type of 1, teachers have a type of 2, and admins have a type of 4. 

 

For things that teachers and admins can access, you'll put a 6 in the database under maybe a "permissions" column and then use bitwise operators to determine if they can view it or not.

Let's say $_SESSION['level'] contained the user's level (2), and $page_level contained the INT (6 in this case) in the database.

 

 

if ($_SESSION['level'] & $page_level) {

  echo "Good to go!";

}

else {

  echo "Permission denied.";

}

 

It would echo "Good to go!".

 

This works because:

 

A 2 in binary is 10.  A 6 in binary is 110.  So a bitwise AND (&) compares bits:

 

  110

& 010

---------

  010

 

That's equal to something other than 0, so it passes the IF.

[roopurt18]

The best permission systems use a groups and users model, where groups is sometimes replaced by roles.  You can create a group or user and assign specific privileges to them.

 

For you instance, you can create a Department Head group that has the ability to make purchases for the department, while regular members of the Department group can only view purchases.

 

You can create individual users and assign the same permissions, but you can also assign users to groups so that you can manage everyone at the same time easily.

 

You have to take a look at the kind of operations you want to control access on within your system.  For each operation, give it a short but unique text association.  First you have the basic CRUD operations:

Create - c

Read - r

Update - u

Delete - d

 

But maybe you also want to support operations such as:

Exporting - xp

Executing - x

Importing - i

 

Then take a look at the areas within your application that you wish to expose and control these actions.  Let's say for instance we had a news section.  News can be created, read, updated, deleted, but let's say it can also be imported and exported.

 

I like to save my permissions as if they were a file system all of their own.  So each of those actions for the news can be expressed as:

 

/news/c

/news/r

/news/u

/news/d

/news/xp

/news/i

 

Then I can save this in a table like this:

permissions

id, entity_id, path, access

id is an auto incrementing PK.

entity_id associates to a group or user in another table that supports hierarchies.

path is the text strings I listed above (/news/c, /news/r, etc)

access is 0 if user can not do this, 1 if the user can, and null if we inherit from the parent entity of the current entity

 

When someone logs into your system, you pull out all of their permissions from the database and you can easily display and hide links based on what they can do.  You also have to build each page so that they can't bypass your lack of links by just typing in URLs manually.

 

You can easily extend this path-like approach to other areas of your system.  Let's say you've designed a database view, call it recent_purchases, that gives a listing report of purchased items with columns: product, qty, price.  Power users should be able to view all of the columns, but others might only need to see the product and qty and we don't want them to see the price.

 

You can create a new path in your permissions:

/system/db/views/recent_purchases/columns/product/r

/system/db/views/recent_purchases/columns/qty/r

/system/db/views/recent_purchases/columns/price/r

 

Now when you either call the view or display the results, based on what columns the user has access to, you can display or not display them.

 

Depending on how you organize your paths there is no limit to what operations you can control.

[lilwing]

Clearly there are a lot of ways to go about this. I am going to have to do some studying before I am able to use any of those methods.

[DarkWater]

Quick note:  If you're using the bitmask approach, the type must be a power of two.  1, 2, 4, 8, 16, 32, 64, etc.  To determine which people can access something, add up their user levels.  If teachers and students (2 and 1) can access something, but a department head (4) can't, use 3 as the "permission level".

[stublackett]

I did it simply by checking the login session

 

<?php

$username = $_SESSION['username'];

$userlevel = $_SESSION['userlevel'];
//Check If The User Is Already Logged In

if (!isset($_SESSION['username'])){
header("location: restricted.php"); //If User is not logged in send them to restricted.php
}else { 

if ($userlevel == "1"){
header("location: restricted.php"); //If the userlevel is of a Student, Restrict there access
}else if ($userlevel == "3"){
header("location: restricted.php"); //If the userlevel is a Superuser, Restrict there access
}else if ($userlevel == "2"){
// Area sits below
}
}

?>

 

and obviously they have to login initially and that is checked again to the Database to check if their is a 1,2 or 3 in there

<?php
session_start();
include("dbtables.php");
include("usermenu.php");

// Connect to server and select databse.
mysql_connect($hostname, $db_user, $db_password)or die("cannot connect");
mysql_select_db($dbname)or die("cannot select DB");

// username and password sent from signup form
   $username=stripslashes($_POST['username']);
   $password= ($_POST['password']);

   $sql="SELECT * FROM $db_table2 WHERE username='" . mysql_real_escape_string($username) . "' and password='" . mysql_real_escape_string($password) . "'";
   $result=mysql_query($sql);

// Mysql_num_row is counting table row
   $count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

   if($count==1){
//Register Username and Password
       $_SESSION['username'] = $username;
       $_SESSION['password'] = $password;
   
   $a=mysql_fetch_array($result);
   $u = $a['userlevel'];
   $userID = $a['UserID'];
   
   
       $_SESSION['userlevel'] = $u;
if ($u == 1)
       header("location:student.php"); //If login is correct and UserLevel is 1 direct to Students' Page
if ($u == 2)
       header("location:teacher.php"); //If login is correct and UserLevel is 2 direct to Teachers' Page
if ($u == 3)
        header("location:superuser.php"); //If login is correct ans UserLevel is 3 direct to SuperUsers' Page
              exit(); 
   } else {
            $errormessage = "Invalid Username or Password";
   }

?>

[lilwing]

 

You have to take a look at the kind of operations you want to control access on within your system.  For each operation, give it a short but unique text association.  First you have the basic CRUD operations:

Create - c

Read - r

Update - u

Delete - d

 

But maybe you also want to support operations such as:

Exporting - xp

Executing - x

Importing - i

 

Then take a look at the areas within your application that you wish to expose and control these actions.  Let's say for instance we had a news section.  News can be created, read, updated, deleted, but let's say it can also be imported and exported.

 

I like to save my permissions as if they were a file system all of their own.  So each of those actions for the news can be expressed as:

 

/news/c

/news/r

/news/u

/news/d

/news/xp

/news/i

 

Then I can save this in a table like this:

permissions

id, entity_id, path, access

id is an auto incrementing PK.

entity_id associates to a group or user in another table that supports hierarchies.

path is the text strings I listed above (/news/c, /news/r, etc)

access is 0 if user can not do this, 1 if the user can, and null if we inherit from the parent entity of the current entity

 

When someone logs into your system, you pull out all of their permissions from the database and you can easily display and hide links based on what they can do.  You also have to build each page so that they can't bypass your lack of links by just typing in URLs manually.

 

You can easily extend this path-like approach to other areas of your system.  Let's say you've designed a database view, call it recent_purchases, that gives a listing report of purchased items with columns: product, qty, price.  Power users should be able to view all of the columns, but others might only need to see the product and qty and we don't want them to see the price.

 

You can create a new path in your permissions:

/system/db/views/recent_purchases/columns/product/r

/system/db/views/recent_purchases/columns/qty/r

/system/db/views/recent_purchases/columns/price/r

 

Now when you either call the view or display the results, based on what columns the user has access to, you can display or not display them.

 

Depending on how you organize your paths there is no limit to what operations you can control.

 

I am not sure how to do this path-like thing. Any tutorials on that? What's it even called?

[roopurt18]

It's essentially the same thing as using bitmasks but more human readable.  It doesn't have a specific name that I'm aware of nor any tutorials.  When I built a permission system from the ground up on my last project it's the system I came up with off the top of my head.