How should I handle this user authorization puzzle?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

How should I handle this user authorization puzzle?

Post by Begby »

The project I am working on consists of product, orders, customers and the like.

Products, orders, and customers all belong to specific clients.

Clients all have logins, and there are also different levels of manager login. Administrators can have access to everything, plant managers can have access to only the clients in their warehouse, and clients can only have access to their own stuff.

So if someone tries to view order detail, edit customer record, or view a list of products, it should work like

If admin then show it to them
If they are a plant manager get all the clients at the warehouse and limit stuff to those clients
If they are a client then make sure the record(s) belongs to their clientID

So the logic above really isn't that hard. The question is at what spot in my code do I put it? I have everything represented by classes and there is a lot of querying and the like that goes on. I think I would like it to throw an exception if they are not allowed.


A. I could build this into my classes and pass a clientID or loginID to every method or object instantiation.

B. At the controller level I can check the access using an authorization object. But we are talking about putting this thing all over the place and then having to make sure we call it for any orderIDs, or productIDs, or whatever is passed in GET or POST. This would result in extra queries as well and probably missed checks.

C. Have the class methods retrieve the loginID or clientID from the framework.

D. Any other ideas?
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Post by Begby »

OOH OOH!

I another thread here - viewtopic.php?t=64310, arborint suggested I use manager classes for retrieving objects whcih sounded like a good idea...

What if I create an abstract base manager class and then extend that for each of my login times, admin, client, and manager? The problem though is that each manager will need to be duplicated 3 times, once for each type...

I could create manager classes then maybe use an delegate within the class, then create a different delegate for each login type....

Does that give anyone ideas?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Image

Having a centralized location to check for authorization is often best, however whether to check for authorization is pretty much to the object performing the retrieval.

Although I may be completely off base.
johndcastro
Forum Newbie
Posts: 2
Joined: Tue Feb 27, 2007 4:29 pm

Post by johndcastro »

I have been in a similar situation, and what I did was determine a 'groupid' so the say i.e.

Admin - 0
Manager - 1
Customers -2

Then you just write if else statments with different queries based on there groupidstatements i.e. -

if ($groupid == 2) {
$qry = "SELECT * from table WHERE groupid LIKE '2'";
}
else ...

And so on,

Of course you would have to modify your tables to have a groupid field in the users and main product tables and then when you insert just use the group id.

This may or may not be what you were looking for just something I did in a similar situation!
Post Reply