Jump to content

grouped permissions


CloudBreaker

Recommended Posts

I have a table of users, a table of projects and another table with information  that pertains back to their related projects along with associated ID's.  I want certain users to only SEE and be able to add and edit information to the projects they belong to.

 

I'd want the user to log in and then only be able to see and edit his or her projects in other words.   

I have already successfully coded an admin panel where I can create the projects and related tables.  In your opinion, what is the most efficient way to do this?

 

thank you. 

 

 

Link to comment
Share on other sites

There is no "most efficient way". It's like asking what's the most efficient way of opening a door. Or the most efficient way of pushing a button. Your site needs to make sure that people can only do stuff with projects they're involved with, so... you make sure that people can only do stuff with projects they're involved with.

 

Say you've got a page to edit a project. Probably got a project ID in the URL or something. Make sure that you only present the page if the user belongs to the project. As in you do a SQL query to see if there's a record in that third table for the logged-in user and the desired project.

Link to comment
Share on other sites

You would also need to make sure when they post a form or something that edits the project info, that you validate before editing said info that the person is allowed to do so. Just because they were allowed to see the page doesn't mean they didn't change a URL car or change a hide field value maliciously before submitting the form. So just like any form, you need to validate their ability to have submitted said form with said info.

Link to comment
Share on other sites

You would also need to make sure when they post a form or something that edits the project info, that you validate before editing said info that the person is allowed to do so. Just because they were allowed to see the page doesn't mean they didn't change a URL car or change a hide field value maliciously before submitting the form. So just like any form, you need to validate their ability to have submitted said form with said info.

That is perfect...what I need to get started...thanks.

Link to comment
Share on other sites

 

Stupid phone changed a few words in there.

This

didn't change a URL car or change a hide field

Should have been this

didn't change a URL var or change a hidden field

This is the code I used to validate the user...it's seems to be working.

<?php

session_start(); 

if(!$_SESSION['admin_login']){
	header("location: admin_login.php");
	}
else {
?>
Edited by CloudBreaker
Link to comment
Share on other sites

You need to terminate the script after your redirect, otherwise the rest of the script continues to execute before the redirect is done.

 

header("location: admin_login.php");
exit;

Yes,  at the very end of the script I wrote this in.  Here's a good reference for creating relationships among tables which is also  Helping out... Relational databases

	</body>
		
		
</html>
<?php } ?>

Edited by CloudBreaker
Link to comment
Share on other sites

That's not the same as what I did.

 

The purpose of header() is to send an HTTP header to the browser. The browser is not required to honor the header, and can simply ignore it. Therefore someone who is not an authorized admin could still view the admin area by simply ignoring the redirect request. Therefore, it is imperitive that you terminate the script immediately following the redirect - that way, even if the browser ignores the redirect, your page is still inaccessible.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.