User Access Rights and levels control levels of functionality in website

[mattbarber]

Please can you advise me on the best way to implement user permissions within PHP to control what a user can do within the database application?

 

I have created a PHP application with a MYSQL database. The database has a number of tables (such as Person, UserAccounts, Accommodation, Education etc..). In its simplest form the PHP pages display data from a table and through links to associated pages allows user to delete/edit information in the table.

 

I would like to implement permission/access rights to control what the user can do when they log-in i.e. View Data, Edit or Delete Records.  I already have a user registration/log-in system through PHP where the user accounts and passwords etc are held in the 'UserAccounts' Table.

 

What currently happens is:

 

The user logs in and their ‘id’ is held in a session variable.

The user accesses the required PHP query results page for the required table – let’s say ViewPeople.php which queries table ‘Person’ and shows the results.

 

From here is seems like the best way to implement permissions is:

 

• Add details to the users record in the ‘UserAccount’ table which specified each users access level (view, edit, delete) for a given table. .
   
  
• Run a query at the beginning of each page (say the ViewPeople.php page) which return the users access level. .
   
  
• Through a series of ‘IF’ statements in the page, using the previous query results show or hide the appropriate links (such as edit person, delete person etc..) as appropriate.
   
  

 

This method seems inefficient as it would require a query at the beginning of each page and several IF statements within the page to control what the user sees.

 

An alternative solution may be to load different copies of the page depending on the users access level, each with different links shown. This would again be inefficient and an admin overhead, requiring many copies of a page to be modified for a single change.

 

How is this normally done? Any advise or suggestions are gratefully received.

 

Thanks

[Brian W]

Do you need distinctive user levels or specific permissions per page-per user

User levels would be like Admin, Mod, User, View Only/Guest

Specific permissions per page-per user would be like only Jane and Grim can see this page and only Grim can edit it while on the other hand another page Jane can edit and view it and Grim can only see it (John only gets to see the f'n home page, hoser!)

[9three]

The type of script is the most complex of 3 log in scripts:

 

1. Secure Page

 

2. Secure Page + Admin rights

 

3. Secure Page + User rights + Admin rights

 

What you need to do is create a schema of your database. Here are some of the things you will need:

 

1. User ID(unique + auto increment)

 

2. User Group ID (User, Member, Admin) - Zero(1) for basic rights, Two(2) for Member rights, Three(3) for Admin rights. In your php you would create If statements checking credentials. If user == 1 show basics, elseif user == 2, show member links, elseif == 3, show admin links.

 

3. Field Names such as: First Name, Last Name, Address(?), Email, Phone(?), etc.

 

You only query to check if the user exits, if s/he doesn't -> redirect -> sign up page, or failed logged in. Once the user enters the correct combination you can set sessions throughout your page to keep them logged in.

When you design you schema you can view a better picture of what needs to be done.

[hobeau]

hello mattbarber,

 

A couple comments. 9three is correct. You would store the level of access as a number in the database and then store that number in a secure session when the user has typed in their username/password and you have verified that they do exist in the database. You will want to make sure that you encrypt your passwords using md5() or some other type of one way encryption. Then, when they type in their user/pass you will encrypt the password they enter the same way and compare that with the table that has encrypted passwords. In this way, even if a hacker can get a list of the usernames and passwords it does not mean that they will be able to access the other users accounts. Also, you will want to make sure your session handling is secure. Check out http://www.solutionbot.com/2008/12/27/secure-session-management/ to find out more. This class will ensure that your users are not the victims of session fixation and that the data that you store in your sessions is secure and doesn't get hacked.

[mattbarber]

Thanks for the quick replies.

 

In answer to Brian W, the system is broken down into:

 

Accommodation info

Client Information

Current Client Information

Staff info

Reports

Sysadmin info - only accessable by sysadmin group

 

I have a E-R Diagram for the Database and the php front end reflects this.

 

For each area (apart from Sysadmin area) the following groups level access would exist:

Guest - view only

User - view and modify

Manager - view, modify and delete records

 

As the user navigates through the system their access levels will change based on their function.

 

9three -  I already have your steps 1 & 3 in place I will now create a User Group ID to cover each area within the system - therefore the user will have 6 group IDs. for example GroupID_Staff if ==2 then the user can view and modify staff data.

 

hobeau - I already have the user login part in place with their user ID being held in a session variable. I will check that my session handling is secure so thanks for the advice.

 

Should I load each User Group ID for the user into the session up front when the user logs in (through a single query) or as they navigate through the system? As suggested I don't then query the DB at each page, instead I collect the session variable value for my IF statements.

Is it a good idea to clear down unused session variable? In short what impact do they have on performance? I currently have about half a dozen values held in session variables.

 

Thanks again.