Popgun Posted November 23, 2010 Share Posted November 23, 2010 Hi All!, Its been awhile since I've lurked here but this forum has always been very helpful and I am kind of stuck. Background: I have been working on a health care related project for about a year, and I am nearing completion, but I need some ideas on how to implement access/restriction based on the following parameters: 1 User Auth/Access is already in place via session handling, and role based access restricting users to pages based on their role. 2. The site functionality is built modular (9 total) 3. Clients consist of the following: Parent Company (parent_ID) Subsidiary Company (sub_ID) 4. Subsidiary Company will be subscribing to a mod. based on need for that particular functionality. 5. Role based users will belong to a Subsidiary Company (user_ID) So the parameters are: Parent: N/A in this scenario Subsidiary: will have subscribed to access 1-9 mods. Users: will have access to 1-9 mods based on belonging to a particular subsidiary Module: will either be "on" or "off" My Mysql Table structure has the; 1. Parent Co. Table (associates parent to subsidiary) 2. Subsidiary Table (associates subsidiary to user) 3. User Table (associates user to various other tables related to modules) 4. Module Table (used to apply granular "on"/"off" control to modules based on Sub_ID) So Ive thought of a few options as follows: 1. Implement a solution based on Sessions/Roles that determines if the module is "on"/"off" for that subsidiary (and therefore the end user), this seems a little less secure and Im trying to get my head around how to do it. 2. Restrict access to each module based in an Include file on page load. 3. Restrict access on the server side?? (this would be my least favorite alternative). As if this wasn't enough I need to make sure whatever solution I use allows me to either a) control the individual subsidiary mod. access via a web interface or b) via a file I can edit on the fly. as I might have to deploy multiple instances of subsidiary companies rapidly. Well I hope this was clear enough and gave you enough to chew on, I am TOTALLY open to suggestions, or ideas on how to go about this. Thanks for reading my puzzle PS: My friend told me 6 months ago to build this in Drupal, he may may have been right Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted November 23, 2010 Share Posted November 23, 2010 PS: My friend told me 6 months ago to build this in Drupal, he may may have been right No he isn't! Drupal is a CMS, not to be used for bespoke projects. Implement a solution based on Sessions/Roles that determines if the module is "on"/"off" for that subsidiary (and therefore the end user), this seems a little less secure and Im trying to get my head around how to do it. This would be my preferred implementation. It is no less secure than any other method, after all, session data is stored server side and accessed via a key within a cookie. A session will expire. I would simply store an array of module statuses after the user has authenticated (logged in). If there are 5 modules you could store it as follows: <?php $modules[1] = true; $modules[2] = true; $modules[3] = false; $modules[4] = true; $modules[5] = false; $_SESSION['authdata']['modules'] = $modules; ?> You can use simple conditional statements whether to display links to each module or not based on its boolean value from the session. Also perform the same test on the actual script filename to redirect any users that are not valid if they were to discover the url. If more modules are added then you do not have to modify any code that stores access levels in the session. I have obviously used a static array in the example above, however in your code the data should come from the database. Quote Link to comment Share on other sites More sharing options...
Popgun Posted November 23, 2010 Author Share Posted November 23, 2010 Neil, First I would like to say THANK YOU. I think this is exactly how I need to implement this. Great insight! A few questions: You can use simple conditional statements whether to display links to each module or not based on its boolean value from the session. Also perform the same test on the actual script filename to redirect any users that are not valid if they were to discover the url. If more modules are added then you do not have to modify any code that stores access levels in the session. I have obviously used a static array in the example above, however in your code the data should come from the database. 1. Can you give me an simple example of what (PHP calls/commands) this would look like, I can probably figure it out from there: a) boolean value from the session statement b) boolean test on the script file name/url to restrict access c) DB query function I'd use in conjunction with a SESSION variable to pull module status rather than use an array? Also do you think this could all be kept in 1 include file? Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted November 24, 2010 Share Posted November 24, 2010 a) boolean value from the session statement <?php /* test module 1 */ if($_SESSION['authdata']['modules'][1]) { print "link to module"; } /* test module 2 */ if($_SESSION['authdata']['modules'][2]) { print "link to module"; } ?> The above could easily be done in a loop. boolean test on the script file name/url to restrict access <?php /* module1.php */ if(!$_SESSION['authdata']['modules'][1]) { /* redirect user - access to this module not permitted */ header("Location:/index"); exit(); } ?> DB query function I'd use in conjunction with a SESSION variable to pull module status rather than use an array? I wouldn't do this. I would definately prefer an array of boolean values that are set after initial login into a session and used as above. This will reduce the number of queries running on the page if you are checking access levels on each page load via a database query. However you would do it with something like: <?php function checkAccess($module, $userId) { $result = mysql_query("SELECT access FROM modules WHERE userId='".$userId."' AND module='".$module."'"); /* if result return true */ if(mysql_num_rows($result)) { return true; } return false; } /* test module 1 (userId stored in session) */ if(checkAccess(1,$_SESSION['authdata']['userId'])) { print "link to module"; } ?> Quote Link to comment Share on other sites More sharing options...
Popgun Posted November 24, 2010 Author Share Posted November 24, 2010 Neil, Thanks that will definitely get me started! This forum and community so kicks ass still. One of the best out there. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.