[SOLVED] Techniques for requiring authentication for only certain parts of a webpage…

[cgm225]

Currently, when I want to authenticate someone so they can view the FULL content of a particular webpage, I just toss a “general_permissions()” at the top of the page, and use the following function::

 

function general_permissions(){
    if (!$_SESSION['username'] || !$_SESSION['password']) {
        exit(); 
        } else {
        db_connect();
        $result = mysql_query("SELECT count(id) FROM users WHERE password='$_SESSION[password]' AND username='$_SESSION[username]'") or die("Couldn't query the user-database.");
        $num = mysql_result($result, 0);
        mysql_close();
        if (!$num) {
            echo "\t\t<h2>First you need to <a href='index.php?id=login' style='text-decoration:underline;'>login</a>!</h2>";
            exit(); 
            } else {}
     }
     }

 

However, when I want to authenticate someone so they can view the public content of a webpage PLUS let’s say some additional administrative links in the footer of the page, I do not have an elegant way of doing that.  I generally code it for each particular instance, without using functions.

 

Of course, I could make a function like general_permissions($footer_links), and have it include the code I put in $footer_links if the user is authenticated.  However, I feel like that is not the best way to do it… ot is it?  any suggestions?

 

Thank you all in advance for you help!

 

cgm225

 

[Wildbug]

I'd add an "admin" column in the database, say a BOOLEAN type.  Include it in the $_SESSION and use an if() or switch/case to choose between non-logged-in, regular user, and admin user.

 

switch($_SESSION['admin']) {
  case 1:
    echo $admin_footer;
    break;
  case 0:
    echo $user_footer;
    break;
  default:
    echo $other_footer;
}

[cgm225]

With that example, how does the switch function determine between case 1 and 0?

[Wildbug]

See the switch() control structure for more info.

 

It's based on the value of $_SESSION['admin'] which, in my example, was a MySQL BOOLEAN column value.  It should be 0 for FALSE, 1 for TRUE, and neither if it's not set.

[cgm225]

Ok, I follow.. thank you so much.

 

Final question, after I use the switch to figure out someone's security level, what is the best way to include the unique code for each user level?

 

So, for example, in case 1, would it be best to have::

  case 1:
    include 'admin_footer.php';
    break;

 

Or include the unique code in a variable::

  case 1:
    $admin_footer;
    break;

 

I ask because I feel like it is bad technique to put multiple lines of code in a single variable (like with example 2), and I don't want to make an entire new file for just a few lines of code (like with example 1).  I guess my question then really boils down to, what is the best most efficiant way to do this?

[Wildbug]

Yeah, I'd actually use an include() instead of a variable, too.  And, of course, you can have many levels of users if you use another type of MySQL column like ENUM.