Page Security

[cometburn]

Hello Guys!

This is the scenario... A User Logs in the program.. the program checks if the user has the access to some pages. How am i going to do this?

[Zach_VB6]

MySQL.

Here's a tut: http://www.devarticles.com/c/a/PHP/P...y-a-Beginners/

[cometburn]

Ow, Sorry, i know how to use mySQL and Php. What im asking is "HOW" to do the page security thing.

When the user has log-in, there are some pages that is restricted to the user based on his access rights.

[mendhak]

That's where your application design would come in, wouldn't it.

You can have security levels assigned to each page; perform the security check on the user whenever the page is accessed. So on page x.php, you can allow levels 3, 4 and 5. If the user that comes in is level 2, then send him away or just send an access denied message. Just an example.

[Zach_VB6]

PHP Code:

<?PHP
// I assume you will parse from a database
// and store the user's level in an integer / string
     if ( $iUserID > 2 ) {
          echo "Access Granted.";
          // now print the stuff that is protected
     } else {
          echo "Access Denied.";
     }
?>

[dclamp]

you could also make a function and put it at the top of the page. example

PHP Code:

//put this in a file where you have made all your mysql connections or "settings" file that will be included
function checkAccessLevel($iUserID, $pageaccesslevel, $requestpage) {
     //using Zach's code...
     if ( $iUserID > $pageaccesslevel ) {
          //include secure page
          include ($requestpage);
     } else {
          include(restricted.php);
     }
}

//put this on your secure page: (ex: myaccount.php)
checkAccessLevel('4', '1', 'myaccount.php');
//so this checks user 4, to see if they are access level 1 on myaccount.php 


[penagate]

You can do tier-based or group-based access control.
Tier-based ('levels') is simpler; each tier is inclusive of the one below. Generally one has, at a mininum, a 'God' (administrator) level, n restricted levels, a guest level, and an optional totally restricted level (such as for banned users — obviously impractical on an intranet, but useful on the WWW).
Each page simply requires a particular level of access, as shown in the examples above.

Groups are not necessarily inclusive of each other. Each page has an access-control list (ACL) listing the groups which can access the page and any other operations they might be able to do to it. Optionally, each group can also have its own set of general permissions. Optionally, further, each user can also have their own permissions mask which is applied after the group and page permissions are calculated.
This is more complex, but much more powerful.

Operating systems, and many content-management and forum systems (such as this one) use group-based access control.