I am trying to create roles and permissions functions in php. I have checked some tutorials
A Better Login System
RBAC in PHP
but it is not clear that the permissions are that of the ones granted by mysql or they are improvised in php.
For example if I have roles like admin and user and developer, so should I have to create different users in database and then use those to perform different operations or should I create one root user and then control the access in php. To me it seems like the database should restrict it by having different users.
First clear yourself on roles & permissions. In front end these are different things to provide access to certain pages & changes.
As per your question let me tell you the roles as Admin/User/Developer can be managed by MySQL user rights. MySQL user rights restrict user access on tables, creating tables,deletion and insertion etc. Now if you create different users in database with custom user rights you will have to include different connection credentials for each of the users.
Further in controlling PHP pages restrict user access with user pages assignment by php codes.
If you are really going for custom access management module. I would recommend you to create role table where roles will be placed
table:role
Columns:
id (pk, auto-increment)
role_name (Varchar)
keep 'role_id' in the user table.
you don't need to create a separate table for user_role since each use will have one role.
But if you are planning to have completely page level access.. You would need that table and a UI should be created where you would assign pages (access) to the user while creating a user.
If you are using any framework, do look for the available apis. YII has a very good security feature which access rules and filters are defined.
Related
I want to create user roles and permissions (Super Admin, Accountant, User) in my Php Mysql CRUD Application. I am wondering how to allow create, read, update and delete permissions to these users, for example, will it be done in create.php or should I create separate create.php files for each user.
Only the Super Admin will have all permissions. For accountant, it will be read (view) and update. And for normal user, it will be read only.
How can I achieve this?
Most commonly this is done with groups and Access Control Lists (ACLs).
You implement a "group" attribute of a user entity, and then define the group with a set of privileges. When the user logs in, load their privileges by looking up their group and then lookup the privileges assigned to that group.
In your create.php, check the privileges that have been loaded for that user, and if they don't have create privilege, return an informative error message.
Googling for "PHP ACL for CRUD application" I found a number of tutorials showing how to implement this in different PHP frameworks. One example:
https://book.cakephp.org/2/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html
By using groups and ACLs, this makes it easier to define new group types in the future, or change the group membership of a given user, or change the privileges assigned to the groups.
I have done a lot of reading on this but nothing stands out. I already have a authentication and authorisation system that can handle multiple guards and user roles (user, admin, super admin etc.)
I am trying to find out what is the best way to separate the system into totally separate accounts which have the following;
No login section
Landing page. Anyone can see without login.
Admin Section
Admin side of the system has a super-admins and then multiple admin-users.
These users can see all data from every user who has an account on the client side.
Client Section
Each user account has an owner who deals with billing, their own user admin etc.
Each client account also has a number of users (admin-users, editor-users etc.) with varying permissions.
Users on this side should only ever be able to see their own accounts data. They should not be able to ever see other accounts data.
Before Laravel, I would have an accounts table and assign a unique key to each account. Then a separate users table would contain the user along with their account key.
All database tables from this point onwards (posts, products, shipments etc.) would also have this key to ensure that the user account could only see their own data.
On top of this there would be permission tables, for granular control of what each user from either side can see.
Is my original way still suited to Laravel or is there a better way?
To separate out the accounts into their own "ecosystems" within the same code base is called multi tenancy. Basically, you scope your applications queries based on the user id and/or role which limits the available data to any given user.
Have a look at the Landlord Package.
In a very basic summary, what it does is add a where('tenant_id, auth()->id()) clause to every applicable query.
You can of course either omit the clause entirely for super admins to access all data, or apply even tighter constraints, say by adding a check for the user's role in addition to the clause, further limiting what a user can access within their respective account/organization/group etc.
Scoping can be done by any kind of relationship, you're not necessarily limited to the authenticated user's id. If your application has organizations for multiple user's you can use the organization id.
Multiple tenant ids is also possible, where a user must belong to an organization and a certain division within that organization.
Another package I've used previously is Hyn's multi-tenant.
We have same project as you mention . We create a company table and put it on the top of the hierarchy.
Then add new field all tables as company_id
And manage models over Policy -> https://laravel.com/docs/5.8/authorization
I hope this help
I'm creating some sort of "to do list" application in PHP. Now I want to implement function for sharing tasks between users, those tasks are basically folders. Can you give me some idea how can I give access to folder, only to some users. I wanted to use database but currently I'm out of ideas.
Using a database, allow original task owner to assign other users to the task. As a basic example, you can create a 'task_group' table with a task id field. This will basically lead to each task having its own group in the database. Then create a 'task_group_users' table with a task_group_id field and a user_id field. You then check this table to see if user is part of the task_group by user id. Owner of task is able to add users to group by adding user id's to task_group_users.
This example can be extended further to support multiple groups per task by adding a group name field and permission level field within the task_group table.
This can be used for a backend for actual system folders, but I wouldn't use actual system groups. This could lead to security issues and will ultimately be limited.
Why don't you store all data in MySQL database for example? It's going to be much easier to delegate access rules there.
At other had you can allow access to this folders only trough PHP-script, and in this PHP script check if user has enough privileges to access that folder.
Your question is very ambigous in this formulation.
I have to provide access rights like edit, view, delete values in the database to the users dynamically in php, so that the super admin can change the privileges from the application itself.(no need to open the database and do it for each and every user).
When you create the database, you also create the users with the different rights you need, the you have a configuration file, where each user is mapped to a specific DB user, then when you make the connections, you are already using that user with the specific rights. You detect the user when they log in the application.
You may also change a bit the interface of the site to each user group, so you don't show controls or actions not related to that group.
My RealEstate PHP Application have following user groups,
Admins,
Moderators
Agents
i want to specify following permission to the following users.
Admins - >
Can Create Moderators,
Can Create Agents,
Can Insert Properties,
Can Update Properties,
Can Delete Properties
Hence an Admin will have all the privileges in short an Admin here will be superAdmin
I want to assign limited privileges to the moderator and hence to the agents.
i am confused on how to Create a Database for this and also on how to implement it in my PHP Application.
thank you
It sounds like you are going to need a role-based access control system. Developing one is not
really a trivial task, so as already suggested, finding a framework or ready-made class that does
the job would be a worth while start.
Role Based Access Control
http://www.tonymarston.net/php-mysql/role-based-access-control.html
http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/
http://www.sitepoint.com/forums/showthread.php?threadid=162027
You should create a table wher you have to define all type of role.
and one table for users
relate different roles to different user Via linking two tables.
and some thing like this ......
The way that I have done this in the past was to create a users table in the database that had an access level (Admin, Moderator, and agents).
Then if you have a menu system, implement a check to see what privileges are needed for what links... Admins will see all links, Moderator will only see links he/she is supposed to, and agents will only see what they are supposed to see.
Also on the pages that you may want to restrict users you will want to check for the users access level. If they pass, they will see the page, if not, they will be redirected or a javascript error will need to pop up.
Something like the access level may do you some good to store it in a cookie as you can cut down your calls to your database.
Hope this helps,
Mike