Restricting access to pages based on usergroups

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
iceangel89
Forum Commoner
Posts: 39
Joined: Mon Jul 02, 2007 7:02 pm

Restricting access to pages based on usergroups

Post by iceangel89 »

i currently use something like

Code: Select all

$sql = "SELECT Usergroups.GroupName  FROM Usergroup INNER JOIN User  ON Usergroup.GroupID = User.GroupID";
//... mysql_select etc. ...
$rs = mysql_fetch_assoc(...);
//create an array of allowed usergroups (GroupName)
$ar_allowed = array("Employee", "Manager");
 
if (!in_array($rs['GroupName'], $ar_allowed)) {
  //redirect
  header(...);
}
i think i should put $ar_allowed = array("Employee", "Manager"); at the top of the page ... but anyway, in this way, i need to restrict access to pages, page by page, then i may make mistakes in the $ar_allowed array breaking the access restriction...

what is a more efficient way to do this?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Restricting access to pages based on usergroups

Post by Mordred »

In order to minimize the chance of human error, you need to have an easily testable and easily auditable setup.
I would suggest having all the access rights setup in a config file - something in the lines of which page allows which groups.
Access this through a function ( function IsAccessAllowed($userid, $page) ) so that you can easily modify the bottom layer of the system - for example you might want to place it in a database).
By default the function should disallow access to anyone. Add access rights only when needed and only to the lowest possible access group.
Post Reply