ACP Design, need fine-tuning

[kratsg]

Basically, I've got a nice log-in system set-up in place. I'm using PHP to force authentication headers, and then checking the username/password combination in a .htpasswd file (using a salt and hash encryption to store passwords and compare).

 

Here are the .ht files I've included on my server (I use .ht since they automatically get blocked from public access by default).

 

---

The files of knowledge!

 

.htpasswd

-contains a username/password combination per line

user:password
user2:password2
user3:password3

 

.htgroup

-contains a list of all groups, what users are in each group, and what group can see links for the group

group:user user2 user6:group group2 group3
group2:user3 user9:group2
group3: user4 user5 user7 user8:group3

 

IE: all the links in group will be visible by group,group2,group3, all links in group2 visible only by group2. This feature is for the index page for navigation methods (as shown in .htlinks)

 

.htfiles

-contains a list of files in the directory that are protected by the script and what groups can access each file

index.php:group group2 group3
group.php:group
logout.php:group group2 group3

 

.htlinks

-contains a list of links that show up for each group

group:HEADER for table cell:Link1|Link2|Link3
group2:HEADER for table cell:Link4|Link5|Link6

 

This code can be modified so that the links are not displayed in a table, but rather on a side bar and etc....

 

---

 

The code behind the ACP

 

Right now, all my MAIN functions are located in protect_pages.php, this is similar to an include. The purpose of the ACP is to provide a gateway for linking other scripts to it, protecting those scripts from unauthorized access. The functions that will be in protect_pages.php will be of the following types; user management (including adding users, changing user password, changing user group, and deleting user), group management (including adding groups, managing group such as file permissions and what groups they can see on the main page [if they are the head of a group, they get their own section but also see their group's section], and deleting groups), and hopefully templating (this is an IF factor for me, i'll talk about further down in here).

 

---

 

What do I need help with?

 

I think at the moment, my organization is a bit messy, and I'm sure I have logical flaws somewhere (especially with the files containing the information). I am advanced in PHP so I just need an explanation of how I would approach or do something and I can do it.

 

My user management is complete, you can manage users, add users, delete users, change user passwords, change user groups. (I will refine the coding for these as I need to fix some flaws, such as with changing a user password: it deletes the user, then re-adds the user with the new password, instead of replacing it [i was lazy, tired, stupid xD]).

 

My group management has not even started, I would like to get my logical layout straightened out before I dig a deeper hole for myself. o_o

 

There will be a file-management script in which you can upload all scripts onto the directory, also reminding you to include protect_pages.php before you upload it, and allow you to edit the scripts through the ACP (keeping FTP access at a minimum).

 

You may be wondering why I have it under protect_pages.php... Well, the protect_pages.php has a code up top that will check to see if you had submitted your authentication information and that it was stored, if it does exist, it runs a function to authenticate you (checking to see if the details match up, otherwise clear off and force a re-authentication). If authenticated, it proceeds by checking which group a user is registered in, checking the file to see if that user's group has access to the file, and either denies or allows the user the ability to use that file. There are NO security flaws at all, I've guaranteed this (nobody could hack into it and cross-site scripting was fixed for this script alone). It does not use database as I would like this to be a simple gateway that allows a person to manage a website through scripts that link to protect_pages.php (and by default, get protected automatically).

 

I hope I explained enough, if I'm missing anything that you need more clarification on, just ask and I will get back to you within a day (2 days at most). I'm frequently on at odd times :-)

 

Thanks.