Page 1 of 1

User & Page permissions problem.

Posted: Wed Nov 21, 2007 11:24 am
by ctown82
Hi,

First off, if there is an easier way to do this, I'm all ears. What I've got is a page which uses group-based security. On the DB side, a user can be a member of several groups (Table: user_permissions), and the page's display changes based on whether a user is in a group the page permits.

I've got sort of a weird issue... so I'm going to post some code, then talk about it.

security.php (excerpt)

Code: Select all

function GetPagePermissions($requestor)
{
	global $sqlinfo;
	
	$query = " SELECT * FROM page_permissions WHERE page_name='". $requestor ."';";
	$result = mysql_query($query);
	return mysql_fetch_assoc($result);
}

function GetUserPermissions()
{
	global $sqlinfo;
	
	$query = " SELECT * FROM user_permissions WHERE user_id='". $_SESSION['user_id'] ."';";
	$result = mysql_query($query);
	return mysql_fetch_assoc($result);
}

function PageAuth($requestor)
{
	$user = GetUserPermissions();
	$page = GetPagePermissions($requestor);
	
	$auth = false;

/*DBG*/var_dump($user);
/*DBG*/var_dump($page);

	reset($user);
	reset($page);

	if(current($user) == current($page))
		$auth = true;

	for($i = 1; $i < count($user); $i++)
	{
		if(next($user) == 1 && next($page) == 1)
			$auth = true;
/*DBG*/echo '<br>'. current($user) .' != '. current($page) .'<br>';
	}
	
	return $auth;
}
exp_rep.php (excerpt)

Code: Select all

if(!PageAuth('exp_rep.php'))
{
	include($dir['pages'] .'403.php');
}
Okay, as you can see, I have some debug output in here. That comes out as ($user first, then $page):

Code: Select all

array(9) { 
["user_id"]=> string(1) "1" 
["guest"]=> string(1) "0" 
["registered"]=> string(1) "1" 
["siteadmin"]=> string(1) "1" 
["agent"]=> string(1) "1" 
["supervisor"]=> string(1) "1" 
["financeadmin"]=> string(1) "1" 
["accountadmin"]=> string(1) "1" 
["useradmin"]=> string(1) "1" 
}

array(9) { 
["page_name"]=> string(11) "exp_rep.php" 
["guest"]=> string(1) "0" 
["registered"]=> string(1) "0" 
["siteadmin"]=> string(1) "1" 
["agent"]=> string(1) "1" 
["supervisor"]=> string(1) "1" 
["financeadmin"]=> string(1) "1" 
["accountadmin"]=> string(1) "0" 
["useradmin"]=> string(1) "0" 
} 

0 != exp_rep.php
1 != 0
1 != 0
1 != 1
1 != 1
1 != 1
1 != 1
1 != 0
(I cleaned up the output a bit for easy reading.)

As you can see, my arrays are coming unaligned as I'm reading them with PageAuth(). I know that reset() shouldn't be needed, but I am trying everything to get these to work right. However, you've probably noticed that's not my only problem... The page isn't displaying as though the user is authorized, but even with the misaligned arrays, he should still have access!

So, 2 problems:

$user and $page are somehow coming unaligned using next()

The user is unable to access the page.

Posted: Wed Nov 21, 2007 11:32 am
by feyd
I think your database needs restructuring. First off, it's not flexible to have each group as a column. Each group should be a separate row. This will make your lookup much easier too as it will then be pretty straight forward.

Posted: Wed Nov 21, 2007 11:47 am
by Maugrim_The_Reaper
Your database needs a bit of work - using one table for all pages and users is like throwing everything at one location and hoping it sticks. Just splitting users from pages would be a simple step forward.

Secondly, why should the arrays align - yes they should, but it's not being made absolutely definitive. They have different keys, and they hold different values, and there's no reason to expect them to line up except by coincidence. What you could do - is remove the difference point (user id and page name) from each array, and sort it by keys alphabetically (that moves from happy coincidence to certainty).

An actual Iterator (SPL) on each array might make things a bit more obvious.

Can't say for certain - but reset $users after using count(). I suspect count() fiddles with the internal pointer and may be the cause of the alignment woes. Move it up before the reset() calls and see what happens.

Posted: Wed Nov 21, 2007 11:50 am
by feyd
Maugrim_The_Reaper wrote:Your database needs a bit of work - using one table for all pages and users is like throwing everything at one location and hoping it sticks. Just splitting users from pages would be a simple step forward.
psst. They are in separate tables. ;)

Posted: Wed Nov 21, 2007 12:11 pm
by ctown82
feyd wrote:I think your database needs restructuring. First off, it's not flexible to have each group as a column. Each group should be a separate row. This will make your lookup much easier too as it will then be pretty straight forward.
A seperate row...? As in, I should use a table for each page?

Posted: Wed Nov 21, 2007 12:16 pm
by feyd
ctown82 wrote:A seperate row...? As in, I should use a table for each page?
No. A separate record (row) for each group associated with the page. Similarly, in the other table, a separate record (row) for each group a user is associated with.