Page 1 of 1

Restricting access to pages based on usergroups

Posted: Sat Apr 19, 2008 10:07 pm
by iceangel89
i currently use something like

Code: Select all

$sql = "SELECT Usergroups.GroupName  FROM Usergroup INNER JOIN User  ON Usergroup.GroupID = User.GroupID";
//... mysql_select etc. ...
$rs = mysql_fetch_assoc(...);
//create an array of allowed usergroups (GroupName)
$ar_allowed = array("Employee", "Manager");
 
if (!in_array($rs['GroupName'], $ar_allowed)) {
  //redirect
  header(...);
}
i think i should put $ar_allowed = array("Employee", "Manager"); at the top of the page ... but anyway, in this way, i need to restrict access to pages, page by page, then i may make mistakes in the $ar_allowed array breaking the access restriction...

what is a more efficient way to do this?

Re: Restricting access to pages based on usergroups

Posted: Mon Apr 21, 2008 11:46 am
by Mordred
In order to minimize the chance of human error, you need to have an easily testable and easily auditable setup.
I would suggest having all the access rights setup in a config file - something in the lines of which page allows which groups.
Access this through a function ( function IsAccessAllowed($userid, $page) ) so that you can easily modify the bottom layer of the system - for example you might want to place it in a database).
By default the function should disallow access to anyone. Add access rights only when needed and only to the lowest possible access group.