CloudBreaker Posted July 10, 2015 Share Posted July 10, 2015 I have a table of users, a table of projects and another table with information that pertains back to their related projects along with associated ID's. I want certain users to only SEE and be able to add and edit information to the projects they belong to. I'd want the user to log in and then only be able to see and edit his or her projects in other words. I have already successfully coded an admin panel where I can create the projects and related tables. In your opinion, what is the most efficient way to do this? thank you. Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/ Share on other sites More sharing options...
requinix Posted July 10, 2015 Share Posted July 10, 2015 There is no "most efficient way". It's like asking what's the most efficient way of opening a door. Or the most efficient way of pushing a button. Your site needs to make sure that people can only do stuff with projects they're involved with, so... you make sure that people can only do stuff with projects they're involved with. Say you've got a page to edit a project. Probably got a project ID in the URL or something. Make sure that you only present the page if the user belongs to the project. As in you do a SQL query to see if there's a record in that third table for the logged-in user and the desired project. Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516025 Share on other sites More sharing options...
Barand Posted July 10, 2015 Share Posted July 10, 2015 Your problem seems similar to this thread http://forums.phpfreaks.com/topic/296962-looping-is-making-me-loopy/ Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516029 Share on other sites More sharing options...
fastsol Posted July 10, 2015 Share Posted July 10, 2015 You would also need to make sure when they post a form or something that edits the project info, that you validate before editing said info that the person is allowed to do so. Just because they were allowed to see the page doesn't mean they didn't change a URL car or change a hide field value maliciously before submitting the form. So just like any form, you need to validate their ability to have submitted said form with said info. Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516034 Share on other sites More sharing options...
CloudBreaker Posted July 10, 2015 Author Share Posted July 10, 2015 You would also need to make sure when they post a form or something that edits the project info, that you validate before editing said info that the person is allowed to do so. Just because they were allowed to see the page doesn't mean they didn't change a URL car or change a hide field value maliciously before submitting the form. So just like any form, you need to validate their ability to have submitted said form with said info. That is perfect...what I need to get started...thanks. Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516038 Share on other sites More sharing options...
fastsol Posted July 10, 2015 Share Posted July 10, 2015 Stupid phone changed a few words in there. This didn't change a URL car or change a hide field Should have been this didn't change a URL var or change a hidden field Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516039 Share on other sites More sharing options...
CloudBreaker Posted July 11, 2015 Author Share Posted July 11, 2015 (edited) Stupid phone changed a few words in there. This didn't change a URL car or change a hide field Should have been this didn't change a URL var or change a hidden field This is the code I used to validate the user...it's seems to be working. <?php session_start(); if(!$_SESSION['admin_login']){ header("location: admin_login.php"); } else { ?> Edited July 11, 2015 by CloudBreaker Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516091 Share on other sites More sharing options...
scootstah Posted July 11, 2015 Share Posted July 11, 2015 You need to terminate the script after your redirect, otherwise the rest of the script continues to execute before the redirect is done. header("location: admin_login.php"); exit; Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516092 Share on other sites More sharing options...
CloudBreaker Posted July 11, 2015 Author Share Posted July 11, 2015 (edited) You need to terminate the script after your redirect, otherwise the rest of the script continues to execute before the redirect is done. header("location: admin_login.php"); exit; Yes, at the very end of the script I wrote this in. Here's a good reference for creating relationships among tables which is also Helping out... Relational databases </body> </html> <?php } ?> Edited July 11, 2015 by CloudBreaker Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516094 Share on other sites More sharing options...
scootstah Posted July 11, 2015 Share Posted July 11, 2015 That's not the same as what I did. The purpose of header() is to send an HTTP header to the browser. The browser is not required to honor the header, and can simply ignore it. Therefore someone who is not an authorized admin could still view the admin area by simply ignoring the redirect request. Therefore, it is imperitive that you terminate the script immediately following the redirect - that way, even if the browser ignores the redirect, your page is still inaccessible. Quote Link to comment https://forums.phpfreaks.com/topic/297247-grouped-permissions/#findComment-1516108 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.