best way to give page wise user access/denial on my website.

[thyscorpion]

hi people,

 

I am building a personal website where i also have a gallery and also some other pages that i would like to restrict access depending who is logged in.

 

can anyone suggest a good way to implement a page wise user access/denial?

{ the page names and details are also stored on mysql as some of the pages are generated by the user (new gallery albums etc....) }

 

Any idea would be welcome.

 

Till now i only had two layers of restriction ( either u are a family member or u are not).. which i indicated on the user records.. but now with user generated albums .. i need to devise a way to control access to those php generated pages also.. (eg: the album names are kept in a table in mysql)..

 

thanks a ton..

 

[kratsg]

Why not define a hierachy?

 

Admin = 5

Staff = 4

Creator of Album = 3

Family Member = 2

Regular Old User = 1

Guest = 0

 

Then, simply do a check on their access level, IE.

 

if($user->level >= 2){//show the album (those that are a family member or higher can access)
//album code here
} else {//they don't have access
//some error displaying that this album is restricted for them
}

[R_P]

I actually use a database table and tag route (kind of like IRC flags). Basically, before/as each page is called, it looks up the auth tag for that page name in the db table. If that auth tag exists in the users session auth string, then show the page.

 

Some pseudo code:

$dbresult = mysql_query("SELECT auth FROM pages WHERE name=."$pageURL);
if(strstr($_SESSION['auth'],$dbresult['auth'])) {
    include($page);
}

 

This way, I can assign each user a different set of priveleges and page access combos. A default user gets a basic predefined set. I could post my actual code, but its more convoluted and contains a lot of contingency handling not discussed.

[kratsg]

If you wanted to define pages for specific users, why not create a database table for this purpose?

 

You have a unique ID key 'rowID'. Then you have userID and page where the userID would be the userID of the person (can be the same across multiple rows since you have rowID as the unique key) and then the page would be the page name of which they have access to. So to add or delete access for a user, add a new row, insert the id, and the page to give them access to, or simply delete it.

 

$query = mysql_query("SELECT 'page' FROM `site_access` WHERE `userID` = '".$_SESSION['userID']."' and `page` = '".$_SERVER['PHP_SELF']."' LIMIT 1");
if(mysql_num_rows($query)){//0 rows=false, 1row=true
//there is one row, so this user does have access
} else {
die("I'm sorry, you don't have access to this page.");
}

[cybersprinters]

I'm not sure if what i'm going to suggest is buggable or not, i'm a NOOB.

 

Create a cookie when a user login, using valid ID/Pass ofcourse, and on each page before the headers- make a check if cookie exists, if it doesnt then redirect the user using meta refresh, else let it view the content of the page according to the passed variables.

 

******

 

if(!$cookie['COOKIENAME'])

{

$i=1;

}

else

{

$i=2;

}

******

 

 

//add this line in the meta tag

if($i==1)

{

  echo ' <meta http-equiv="refresh" content="0;url=URL_OF_YOUR_SITE> ';

}

 

 

 

//and this in the page code

 

if($i==2)

{

//page code goes here

}

 

 

 

In this way only if the user's cookie is already there, also make a check if it is valid, only then s/he can access the page code, else it will be redirected to the login page- thats where i redirect to.

 

[roopurt18]

Admin = 5
Staff = 4
Creator of Album = 3
Family Member = 2
Regular Old User = 1
Guest = 0

I wrote my first PHP site using that mechanism and while it's perfectly fine, it falls apart when you want to overwrite permissions for individual users.

 

Cookies are not a good way to do this as users can manipulate them.

 

The best form of access control is with a users / groups / permissions system.