Defining user permissions?

[Michdd]

I've been working with php for a while now, but I haven't looked into this yet, I'm creating something and I'm wondering how to define permissions that a user would have in the user system on my website.

 

Like defining permissions for an admin, or for a normal user.

[revraz]

Have a field in your DB that sets their level, then when they log in check that level of access.  Each page that you want secured, have it check their access via a session.

[Michdd]

Thanks. But it would be professional to say set the permissions in another file then just include that everywhere I want it to be checked? Right?

 

 

[revraz]

If you want it to be static, sure.

[Adam]

Yeahh it's really that simple. Best way is to set the field to integer, probs with a length of just 1 - unless you plan on making more than 10 levels of users?

 

Then have another table setup to define the user levels, something like:

 

user_lvl / name

--------------

1 / Basic user

2 / Moderator

3 / Admin

 

.. or something similar so you can have a descriptive name for the user level you can lookup to display on the website. You can obviouslly make it much more advanced if you wished...

 

When the user logs in simply check their user level against whatever you want to set for that particular page.. and there you go basic user permissions..

 

Adam

[Adam]

To be honest the database method would be the simplest, quickest and more professional..

[revraz]

Professional is a relative term.  If you don't have a DB to use, you can still use flat files.

[serverman]

well database is also safer than flat file. if you do flat file anyone can just open the file and view user, email, password(if your not encrypting it.)

Also if you aren't good with DB it is worth taking the time to learn because it really opens up a world new things you can do with PHP or any other Serverside script.

[Michdd]

So I would basically have to do it by using like if statements to show what will show/what they can do depending on their level id? like..

 

(1 = admin)

--

 

if($id == "1"){

can do something

} else {

can't

}

 

That's the 'correct' way of doing it? Or is there a more professional way?

[Andy-H]

The way I usedto do it for a mafia game I coded was have a seperate table called staff,

 

Staff ----

 

id INT

username VARCHAR

level INT(1)

Staff_IP

Last_IP VARCHAR

pin INT

 

Then I would check if their username session was stored in that table

 

ie.

 

$query = "SELECT pin, level FROM staff WHERE username = " . mysql_real_escape_string($username) . " LIMIT 1";
$result = @mysql_query($query);
$n = mysql_num_rows($result);

if ($n == 1){

$row = mysql_fetch_row($result);

$pin   = $row[0];
$level = $row[1];

$required_level = 1 // 1 for help desk // 2 for mod // 2 for admin
if ($level < $required_level){

die("Access denied.");

}else{

//code

//check if they enter correct 4 digit staff pin...

}

}else{

die("Restricted access.");

}

 

I would also log the IP of the last person who made an action on that account and check it against the staff members IP

 

 

[Michdd]

Thanks, that helps a lot, but you made me remember something else I was wondering about, how do I get the IP of say someone registering? Or do anything on my site for that matter.

[Adam]

$ip = $_SERVER['REMOTE_ADDR'];