Page 1 of 1

Programming Advice : Adding Security features..

Posted: Fri Jul 29, 2005 7:11 pm
by facets
I'm about to add security features to some scripts i've written and was wondering what 'the best way' to do this would. By that, is there a standard programming way of doing it.

Aliitle background, currently my app allows me to view, edit, delete and print code from the DB.
I wish to lock this down so only admin can edit and delete whilst other users have only view/print access.

So, do I leave the code as is and just add "if user == admin display this else display that".
Or do you create 2 pages with very similar code one for Admin the other for Users?

Any pointers or websites to rewad would be FAB!

Cheers, Will.

Posted: Fri Jul 29, 2005 7:29 pm
by timvw
Well, i usually split that in 2 classes: Authentication and Authorization.

An example of an authentication class:
http://timvw.madoka.be/programming/php/ ... ss.php.txt


Authorization can be handled in various ways. A very often used is RBAC (Role based Acces Control).

I usually choose for the following: (Each user belongs to exactly one role. Each role can perform many tasks, and each task can be performed by many roles. So i introduce a roletask to handle the n-m relationship between role and task)

[user] 1 - 1 [role] 1 - n [roletask] n - 1 [task]

Sometimes, there are roles that shouldn't see all the fields that are displayed in a task. To achieve this i end up with the following:

[task] 1 - n [taskfield] 1 - n [roletaskfield] n - 1 [role]

Posted: Fri Jul 29, 2005 10:49 pm
by s.dot
Aside from the complexity timyv showed you (which is probably the way you should go), I would do this

I'm assuming there's some kind of login feature..

Code: Select all

$admins = array("admin1","admin2","etc..");
if(in_array("thepersonloggedin",$admins))
{
  // admin features
}

// features available to all here

Posted: Fri Jul 29, 2005 10:59 pm
by facets
thanks for the reply timvw.
It was very helpful and RBAC has lead me to this site : http://www.tonymarston.net/php-mysql/ro ... ntrol.html
Which has some great diagrams of what you explained.

Time to study some Obeject Orientated Analysis and Design I think!

Cheers, Will.