Membership in php

[htetnainglynn]

Hi everyone,

 

On my site, I am planning to have various user access such as "super_admin", "normal_admin" blur blur blur. Pages can be only viewed by user who has access to view those pages except for ofcuz super_admin who can do almost everything. I am wondering how can I do something like that in a different way than the solution i'm currently using ? My current solution is each page carry their own weigh (some number) and on page load check against with logged in user role stored in Session variable. Based on the user role, i determine whether let the user access the page or redirect to some page. Is there any better way to do the same process in a better way ? Please will be looking forward to hearing any input. Thanks all.

[ignace]

You may want to take a look at ACL where each page is a resource, the user is part of a group/role.

[htetnainglynn]

Thanks for pointing that out. Would you recommend any framework or umm anything that would achieve something like that ? I have a working site. All I wanna do is filter out those who don't belong in several pages and allow access only to admin. I wrote it without using any framework (like Zend) and I don't really want to do it from scratch again. Please, any suggestion would be appreciated.

[ignace]

Implementing an ACL is not that hard. Your database tables would something like:

users (user_id, user_name, user_password, user_role_id)

roles (role_id, role_name)

resources (resource_id, resource_name)

roles_resources (role_id, resource_id, permission, rule)

 

The roles table will hold super_admin et cetera. The roles_resources table will hold the permissions (add, modify, delete) and the rule (allow, deny) for that role on a certain resource. For convenience we assume that for every undefined permission we deny that permission for a certain role.

 

This comes with one problem though. When someone does not log-in to your website they do not get any permissions applied which means that they will be denied to access the website. To solve this you would create a Guest account in the users table for which the credentials are known in your application (or if you store your configuration in your database then add a guest_user_name and guest_user_password fields). So every time a user visits your website, you log them in to the Guest account and apply the permissions applied to this account (mostly allow rules for the view permission on the resource pages).

 

A few example inserts to give you an idea:

 

INSERT INTO roles (role_id, role_name) VALUES (1, 'guest'), (2, 'member'), (3, 'normal_admin'), (4, 'super_admin');

INSERT INTO resources (resource_id, resource_name) VALUES (1, 'Pages'), (2, 'Login');

INSERT INTO roles_resources (1, 1, 'view', 'allow'), (1, 2, 'view', 'allow'), (1, 3, 'add', 'allow'), (1, 3, 'edit', 'allow'), (1, 4, 'add', 'allow'), (1, 4, 'edit', 'allow'), (1, 4, 'delete', 'allow');

[htetnainglynn]

Thanks. Then I am on the right track I guess. My implementation is something like that too but there is a serious problem (it seems serious to me) is that when a user request an absolute URL let's say /myserver/mysystem/admin/importantpage.php. If the user hasn't logged in, they can't view the page but the problem is they can see some flush (like 1 sec, it loads and redirect the user back to the other page if they haven't logged in) of the page. In my script I check against with proper conditions and redirect if necessary. How can I prevent that small loading of the importantpage.php and just redirect the user completely to some other page ? Thanks for yr reply. U d man

[ignace]

Place the check higher and make sure there is an exit(0) or die(0) statement after the header('Location: ..') function.

[htetnainglynn]

Thanks. exit() method does the trick.