grouped permissions

[CloudBreaker]

I have a table of users, a table of projects and another table with information  that pertains back to their related projects along with associated ID's.  I want certain users to only SEE and be able to add and edit information to the projects they belong to.

 

I'd want the user to log in and then only be able to see and edit his or her projects in other words.   

I have already successfully coded an admin panel where I can create the projects and related tables.  In your opinion, what is the most efficient way to do this?

 

thank you. 

 

 

[requinix]

There is no "most efficient way". It's like asking what's the most efficient way of opening a door. Or the most efficient way of pushing a button. Your site needs to make sure that people can only do stuff with projects they're involved with, so... you make sure that people can only do stuff with projects they're involved with.

 

Say you've got a page to edit a project. Probably got a project ID in the URL or something. Make sure that you only present the page if the user belongs to the project. As in you do a SQL query to see if there's a record in that third table for the logged-in user and the desired project.

[Barand]

Your problem seems similar to this thread

http://forums.phpfreaks.com/topic/296962-looping-is-making-me-loopy/

[fastsol]

You would also need to make sure when they post a form or something that edits the project info, that you validate before editing said info that the person is allowed to do so. Just because they were allowed to see the page doesn't mean they didn't change a URL car or change a hide field value maliciously before submitting the form. So just like any form, you need to validate their ability to have submitted said form with said info.

[CloudBreaker]

You would also need to make sure when they post a form or something that edits the project info, that you validate before editing said info that the person is allowed to do so. Just because they were allowed to see the page doesn't mean they didn't change a URL car or change a hide field value maliciously before submitting the form. So just like any form, you need to validate their ability to have submitted said form with said info.

That is perfect...what I need to get started...thanks.

[fastsol]

Stupid phone changed a few words in there.

This

didn't change a URL car or change a hide field

Should have been this

didn't change a URL var or change a hidden field

[CloudBreaker]

 

Stupid phone changed a few words in there.

This

didn't change a URL car or change a hide field

Should have been this

didn't change a URL var or change a hidden field

This is the code I used to validate the user...it's seems to be working.

<?php

session_start(); 

if(!$_SESSION['admin_login']){
	header("location: admin_login.php");
	}
else {
?>

[scootstah]

You need to terminate the script after your redirect, otherwise the rest of the script continues to execute before the redirect is done.

 

header("location: admin_login.php");
exit;

[CloudBreaker]

You need to terminate the script after your redirect, otherwise the rest of the script continues to execute before the redirect is done.

 

header("location: admin_login.php");
exit;

Yes,  at the very end of the script I wrote this in.  Here's a good reference for creating relationships among tables which is also  Helping out... Relational databases

	</body>
		
		
</html>
<?php } ?>

[scootstah]

That's not the same as what I did.

 

The purpose of header() is to send an HTTP header to the browser. The browser is not required to honor the header, and can simply ignore it. Therefore someone who is not an authorized admin could still view the admin area by simply ignoring the redirect request. Therefore, it is imperitive that you terminate the script immediately following the redirect - that way, even if the browser ignores the redirect, your page is still inaccessible.