Is this safe?

[play_]

Tiny security question.

 

There are 3 levels of users. Normal users, moderator and Admins.

 

I the midst of the `members` table, is this field:

`user_level`

 

Now, when you login, you get all your sessions started, including $_SESSION['user_level'].

 

So if you're admin, your $_SESSION'user_level'] will be 1.

If you're a moderator, your $_SESSION['user_level'] will be 5

If you're a normal user, your $_SESSION['user_level'] will be 10

 

 

 

Now, to restrict access to certain pages...

 

I have this method:

function restricted() {
session_start();
$args = func_get_args();

if( in_array($_SESSION['user_level'], $args) ) {
	header("Location: /index.php");	
}	
}

 

So on the page, i can restrict access by passing ints of the level of the users i want the page accessible too.

For example:

$s->restricted(1);  // admins only

$s->restricted(1, 5); // admins and mods only

 

It's simple, but i don't really see a flaw with it?

 

If anyone sees anything wrong, please let me know so I stop using it.

[play_]

correction:

if( !in_array($_SESSION['user_level'], $args) ) {

[Mchl]

Seems fine to me. I used similar system myself once.

[play_]

Yea.. just making sure.

 

I am thinking of going a step further.

 

 

I wanna make it so i can pass one int as argument.

 

 

For example, all the pages the mods can see, the admin can see too, since admins are higher-ups in the system.

 

So instead of doing

$s->restricted(1, 5);  // admins and mods

 

I would do:

$s->restricted(5);  // admins and mods

 

because 1 comes before 5, it would automatically be allowed in.

[xylex]

Make sure you have a default value if you do that if the session value isn't set, since (int) NULL is also < 5

[play_]

Make sure you have a default value if you do that if the session value isn't set, since (int) NULL is also < 5

 

Yep.

Thanks.

[Philip]

I also do a similar setup, in reverse.

 

Super admins get 255

Admins get 200

Mods 100

Normal users 1+

Banned 0

 

Then on permissions:

if($user >= 100) 
// mod area
if($user >= 200)
// admin area

 

 

[laffin]

Yes, thats the system Im used to as well KingPhillip.

But I over the years, i got tired of the hierachy system.

And now a days I use a flag system instead.

Which seems to work out better for me, since I want a flexible and be able to serve groups within the community as well.

 

With the hierarchy system, if create 3 groups (groupA, groupB, groupC).

u will end up adding code for each group to test for the group affiliation.

 

than it just gets complicated if u add a moderator to that group. as now u have to create yet another user type.

 

so now a days i prefer the flag system. Where I can define different areas of the system, and give access according to wut I want.

 

 

I believe best way to see the flag system, is by looking at several apps that have it in place. such as TikiWiki.

 

Where U can define a default set of flags for different user groups, but still allows u to assign an individual overriding flags.

 

Anyways good luck