User level security

Forum Moderators: coopster

Message Too Old, No Replies

User level security

derenw

5:01 pm on Mar 22, 2004 (gmt 0)

I all!

After a user has logged in I want to restrict access to a few pages based on their user level. I have got this far and not sure how to continue:

if(session_is_registered('userId')){
//the session variable is registered, the user is allowed to see anything that follows
}
else{
//the session variable isn't registered, back to the login page
header( "Location: login/user_login.htm" );
}

Could anyone offer some tips?

Thanks

lorax

5:19 pm on Mar 22, 2004 (gmt 0)

The quick and dirty method is to not show them the links to the pages that they aren't allowed to see. If, however, they guessed at the file names, they would still be able to access them.

The next level involves building user permissions where you can assign the user rights to each file. Then use their username to check for permissions with each page they try to access.

brotherhood of LAN

5:33 pm on Mar 22, 2004 (gmt 0)

The next level involves building user permissions where you can assign the user rights to each file

There's a good thread on this in the forum library I believe...using bitwise operators to decide the level of the users access. Few good reads in there for this sort of thing, well worth a look derenw..

Nova Reticulis

5:19 pm on Mar 24, 2004 (gmt 0)

This is how I implemented it in one of the recent projects:


define ('PERMISSION1', 1);
define ('PERMISSION2', 2);
define ('ONLY_PERMISSION2', 999);
define ('BOTH_PERMISSIONS', 3);
function security($level) {
 switch ($level) {
 case 'BOTH_PERMISSIONS':
  if ($_SESSION['permission1] && $_SESSION['permission2'])
  return 1; break;
 /* ...insert code that returns 1 if current permissions match requested $level, for example */
}

Then, in each place that needs to check authorization (new page, command handler, etc):


if (!security(BOTH_PERMISSIONS))
 die('Access denied!');

This is of course totally bogus code off the top of my head :)