Users access rights and functionality control

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mattbarber
Forum Newbie
Posts: 2
Joined: Fri Jan 02, 2009 1:20 pm

Users access rights and functionality control

Post by mattbarber »

Please can you advise me on the best way to implement user permissions within PHP to control what a user can do within the database application?

I have created a PHP application with a MYSQL database. The database has a number of tables (such as Person, UserAccounts, Accommodation, Education etc..). In its simplest form the PHP pages display data from a table and through links to associated pages allows user to delete/edit information in the table.

I would like to implement permission/access rights to control what the user can do when they log-in i.e. View Data, Edit or Delete Records. I already have a user registration/log-in system through PHP where the user accounts and passwords etc are held in the 'UserAccounts' Table.

What currently happens is:

The user logs in and their ‘id’ is held in a session variable.
The user accesses the required PHP query results page for the required table – let’s say ViewPeople.php which queries table ‘Person’ and shows the results.

From here is seems like the best way to implement permissions is:
  • Add details to the users record in the ‘UserAccount’ table which specified each users access level (view, edit, delete) for a given table.
    Run a query at the beginning of each page (say the ViewPeople.php page) which return the users access level.
    Through a series of ‘IF’ statements in the page, using the previous query results show or hide the appropriate links (such as edit person, delete person etc..) as appropriate.
This method seems inefficient as it would require a query at the beginning of each page and several IF statements within the page to control what the user sees.

An alternative solution may be to load different copies of the page depending on the users access level, each with different links shown. This would again be inefficient and an admin overhead, requiring many copies of a page to be modified in the future for even a small change in code.

How is this normally done? Any advise or suggestions are gratefully received.

Thanks
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Users access rights and functionality control

Post by VladSun »

Most of the developers will do it this way - maybe a "role" table is more efficient.
I had some discussions about it:
viewtopic.php?f=50&t=89528&hilit=+ACL
viewtopic.php?f=19&t=89300&hilit=+ACL
viewtopic.php?f=50&t=81792&hilit=+ACL
There are 10 types of people in this world, those who understand binary and those who don't
mattbarber
Forum Newbie
Posts: 2
Joined: Fri Jan 02, 2009 1:20 pm

Re: Users access rights and functionality control

Post by mattbarber »

Thanks for such a quick reply.

Whilst I'm familiar with Object Orientated Programming Principles having done some Small Talk Programming in the past, I've never done any in PHP.
I'm also unfamiliar with Zend framework, Codelgniter framework and Controllers - so I've got a bit of research to do.

However, you've pointed me in the right direction so thanks for your help.
Post Reply