Hiding menu items from people who aren't logged in

[GSP]

I am working on a website where most of the pages go like this:

<?php include("login.class.php"); ?>
<html>
<head>
<title>Page Title Here</title>
</head>
<body>
<?php include("menubar.php"); ?>
<!-- Insert content there -->
<?php include("footer.php"); ?>
</body>
</html>

 

I adapted most of the authentication code from here.

 

menubar.php is a file that just contains an html list of links.

 

I would like to know how I could make the menubar.php display a different list of links depending on whether someone is logged in or not.

 

 

Also, how could I do create a user role system where everything displayed is dynamic? I was thinking a mysql table defining user roles and what areas of access each role will have (role_id, page_1, page_2, page_3, page_4; 1, yes, yes, yes, yes; 2, yes, yes, yes, no; 3, yes, yes, no, yes; etc) and another table with users and role (name, role; Anna, 1; Bob, 2; Carley, 2; Dean, 3; etc), but I have no idea how I can get, for example, a menu bar, to reflect what pages each user will have access to.

[ignace]

There are divers ways of implementing an ACL ranging from easy to complex and it depends on what you want. If you want to be able to set it all from a database:

 

create table page (
  id ..
  parent_id .. -- pages can have sub-pages eg About, sub: What we do, Jobs, ..
  ..
);

create table role (
  id ..
  parent_id .. -- roles can inherit privileges from other roles
  ..
);

create table user (
  id ..
  role_id ..
  ..
);

create table page_acl (
  page_id ..
  role_id ..
  privilege varchar(32), -- view, edit, delete, ..
  rule enum('allow', 'deny')
  ..
);

 

This ofcourse is a complex example a simple example would be the one WordPress uses:

 

class User {
    const ROLE_GUEST = 1;
    const ROLE_MEMBER = 2;
    const ROLE_AUTHOR = 4;
    const ROLE_EDITOR = 8;
    const ROLE_ADMINISTRATOR = 16;
    
    public function isGuest() {}
    public function isMember()  {}
    public function isAuthor() {}
    public function isEditor() {}
    public function isAdministrator() {}
}

 

This is an easy example and easy to use:

 

if ('delete' === $action && $user->isAdministrator()) {

 

Depends on who you want to let define the rules. The easiest setup is if you (programmer) define the rules instead of the user. There is also a difference between roles and groups.

[Rizla]

I use this to on my site to show adminpanel links and other things.

How i do this is by setting a userlevel to each account.

Then when a person logs in i also set a session var or cookie var that holds the userlevel (int)

and then i check what userlevel that user has.

 

if($logged['userlevel']==9){echo'user is administrator show admin links}

 

The userlevel is set in the user table in the database.

$logged contains session information and here we get the userlevel and check if its an admin if true we show the links

else we do not show the links.

[ignace]

if($logged['userlevel']==9){echo'user is administrator show admin links}

 

is IMO bad practice. This may work for you as you know what each number represents however new project members will have to come ask you over and over: "What group was 9 again?" It also makes your code unreadable, for example:

 

if (2 == $userlevel || 4 == $userlevel) {
    ..
} else if (6 == $userlevel) {
    ..
} else { // assume 1,3 or 5
    ..
}

 

Where using:

 

class User {
    const ROLE_GUEST = 'guest';
    const ROLE_MEMBER = 'member';
    const ROLE_AUTHOR = 'author';
    const ROLE_EDITOR = 'editor';
    const ROLE_ADMINISTRATOR = 'administrator';
    
    private $_role = self::ROLE_GUEST;
    public function getRole() { return $this->_role; }
    
    public function isGuest() {}
    public function isMember()  {}
    public function isAuthor() {}
    public function isEditor() {}
    public function isAdministrator() {}
}

 

Would result in:

 

if ($user->isAuthor() || $user->isEditor()) {
    ..
} else if ($user->isAdministrator()) {
    ..
} else { // assume isGuest(), isMember()
    ..
}

 

So, which would you prefer?

 

[ot]Vanwaar in België ben je ergens?[/ot]

[Rizla]

I' dont work with other people, I do everything myself.

from a to z from scratch to finish. And I merely make sites for a hobby

and i learned everything from self study.

 

I'm not saying i would not like to know how to do OOP but it seems so confusing to me.

btw i have a script to select a usergroup and store that to the database

I see a text string in a select box with a decimal value attatched to it.

this way it's not all that confusing for eg: moderators etc

 

btw: I'm from Lichtervelde

[Buddski]

What I think ignace is trying to say is the cleaner and easier your code is now the better it will be in the future..Even for yourself.. I wrote a login script like that a few years back and when it came time for a site upgrade a few years later it took some figuring out what did what and who had access to where.. it was a nightmare.. thats my 2 cents.

[Rizla]

What I think ignace is trying to say is the cleaner and easier your code is now the better it will be in the future..Even for yourself.. I wrote a login script like that a few years back and when it came time for a site upgrade a few years later it took some figuring out what did what and who had access to where.. it was a nightmare.. thats my 2 cents.

 

I know you guys are both right on this, but i'm not that far advanced on php knowledge.

So i have to compensate with some dumb workarounds