I'm working on a website where there will be three types of users: admin, managers, and operators.
I want to give access for these groups for them to only be able to view certain pages or
certain menus in these pages when they login. How do i go about doing this? im still just a beginner in php
so any information or tutorials to implement this will be helpful.
This is a loaded question, in my experience you will want to make three tables. I will highlight basic columns to make it work
User
user_id, login, password
Access
access_id, access_code, access_name
UserAccess
user_access_id, access_id
Then create the accesses you want like Administrator give it an access code like admin_rights, Manager with access code manager_rights, and so on.
Then assign the users the access you want to give them. The pages you will assign the access_codes that can view the page and if the user has the access type it can view the page. As far as code goes there is a lot to show so if you need more help,let me know.
You could go even further and add a Role table that allows you to assign multiple accesses to and then assign a role to a user.
Role
role_id, role_name
RoleAccess
role_access_id, role_id, access_id
UserRole
user_role_id, role_id, user_id
It gets complex, but in the long run it allows you to set up many different user types and allows for you to get specific for special users that you want to have access to this and that and don't fit a predefined role.
Related
I am trying to create roles and permissions functions in php. I have checked some tutorials
A Better Login System
RBAC in PHP
but it is not clear that the permissions are that of the ones granted by mysql or they are improvised in php.
For example if I have roles like admin and user and developer, so should I have to create different users in database and then use those to perform different operations or should I create one root user and then control the access in php. To me it seems like the database should restrict it by having different users.
First clear yourself on roles & permissions. In front end these are different things to provide access to certain pages & changes.
As per your question let me tell you the roles as Admin/User/Developer can be managed by MySQL user rights. MySQL user rights restrict user access on tables, creating tables,deletion and insertion etc. Now if you create different users in database with custom user rights you will have to include different connection credentials for each of the users.
Further in controlling PHP pages restrict user access with user pages assignment by php codes.
If you are really going for custom access management module. I would recommend you to create role table where roles will be placed
table:role
Columns:
id (pk, auto-increment)
role_name (Varchar)
keep 'role_id' in the user table.
you don't need to create a separate table for user_role since each use will have one role.
But if you are planning to have completely page level access.. You would need that table and a UI should be created where you would assign pages (access) to the user while creating a user.
If you are using any framework, do look for the available apis. YII has a very good security feature which access rules and filters are defined.
My tool uses:
PHP for scripting.
mySQL for DB.
Apache for host.
There will be 2 groups of users.
I want to give access to 1 group of users only for 2 webpages.
The other group of users will have the access for all the pages and links.
Is there a way I can hide certain links on a webpage from a certain group of users, too.
How can I achieve this.
Fairly new to programming.
Any help will be greatly appreciated.
Thank you.
Lets say, Admin & normal user.... in that case we will have a column in the user table which will store he/she is admin or not. When you do authentication, fetch this value & keep it in SESSION. So in every page you check this person is admin or not with that session value using if clause.
It's hard to give any fitting exmaples without code, but if you have a MySQL and know some PHP, the basic way of solving this problem would be connecting to the database, checking what group the currently logged in user is (check by ID or however you set things up) and wrapping if statements around the links you want to hide from certain people that check if they belong to the right group to see said pages. You can also hide the pages from them by just putting a check whether they can see the page content or not on top of the content and throwing some sort of no permission error when needed. For this basic example hard-coding the groups into the files should be sufficient. If you plan on expanding all this later on, I'd maybe make a seperate table in your database controlling page view permissions.
You can also include HTML code in your PHP if statements by just closing the PHP section after the if (?>) and put the closing bracket of the if at the end of your HTML menu for the secret group (<?php } ?>).
If you provide us with some code snippets, we can maybe help you a bit more with examples.
There are many ways you could achieve this.
How to 'hide' the page
A good way to really hide the pages would be to check the type of user before displaying anything. If the type of user has access to the requested page, display it. If the user does not have access, you could send a 404 page not found error.
This way, user which does not have access to the page wont even know the page exist even if they have the URL.
Authenticate the user
As mentioned by Akhil Sidharth, you can use a $_SESSION variable to keep the type of the user trying to view the pages.
Every application now a days is using group, permission and capabilities to restrict site/application users from accessing the page/content/link within the site/application. Sometime group might be refereed as role to organize users. Let me describe -
Group/Role - Role might be - Admin, Manager, Employee, Customer etc. Your application should have role management system where you can manage(add/edit/delete) the roles/user-groups. These roles should be stored in DB tables.
Permission - Permission might be Allow, Deny, Restrict etc.
Capabilities - Capabilities might define the list of works/actions/activities that a user can take on your site or on a particular page. Some examples are - a. Can View XY*Z link b. Can View X*B page c. Can create user d. Can assign permission e. Can change permission etc.
Apart from this, your application should have two addtional management page -:
Configure capabilities & permission for the said roles, where you can configure and set capabilities either 'Allow'/'Deny' for the roles.
Role to users - This is the page where you can put the users into a particular role.
In this way you have the idea, what a particular users have rights/permissions to do on the site & restrict the users over accessing the contents/pages/links accordingly.
Alternatively, the simplest way for you now is to add a 'type' field in your user DB table. Add a drop down of users types where you are creating/updating the user & save the user type in your user db table. Restrict the user on the basis of user type accordingly.
I'm building a PHP application where users can design products and then check out to a shopping cart if they want to.
To let the user create a design, I need to assign a user ID and design ID to store it in the database.
There are two types of users who can build designs:
registed users. To take care of this, I have no problem.
non-registered users. These are guest visitors who might play around with product designs, and then when they hit check out, only then will I ask them to sign up. But in order to store their designs, I do need to have some kind of user ID.
I thought of using a timestamp as this user's ID, but what if two users in different parts of the world create designs at the same time? What's a good strategy for generating IDs for temporary/guest user accounts? I don't just mean temporary in the php session sense, because I want them to be able to access their partially saved designs later on if they visit the site again, just like any other registered user. I will only ask them to sign up before checking out for payment.
A simple approach might be:
Use a single user table (for registered users and guests)
Assign a "user_type" flag. E.g. registered/guest
Use the table primary key or other unique value for both "types" of user
When guests check out later on, switch their "user_type".
Store other related customer details in a separate table.
there is no right to access the menu home, profile, gallery, contact us.
I have 2 types of user that is the administrator and operator. eg the administrator just the home, profile, and contact us menu to see. while in the operator, just the home and profile menu are visible. how to differentiate the permissions on codeigniter?
please help me, thank you :)
A simple way is provide a profile id to differentiate the users. For example for Admin 1 and for Operator user 2. When you are displaying menu in the view file put some conditions on your menu display using profile id.
Note save profile id in session data with user data.
Having different user types works if you never envision having more than two types or people that need one admin permission but not another. A better, or rather more future proof, way to do it is through roles.
Create a roles table with your different roles in it, for your use now you would have Admin and User roles. Then you create a join table that would hold the RoleId and the UserId. When a user logs in you create a session variable and populate it with an array of the different roles they hold, then when you have a specific page that requires protection you simply have to check that array for the required permission.
As an example say you have a business site, you require user logins, a main admin login, a sales login and a warehouse login. Let's say for the sake of argument that sales and warehouse need the ability to edit products, but the warehouse shouldn't be allowed to edit prices. You could of course assign different user types and then check for those user types when a page is loaded but the more and more permissions required the messier that gets. With the roles you assign warehouse and sales people the product permission role and only sales get the price editing permission.
As I said if you only ever require two separate user types with two distinct sets of permissions, role based authentication is probably overkill. But that being said it can't hurt to plan and build for a situation where you find you're going to need more.
My RealEstate PHP Application have following user groups,
Admins,
Moderators
Agents
i want to specify following permission to the following users.
Admins - >
Can Create Moderators,
Can Create Agents,
Can Insert Properties,
Can Update Properties,
Can Delete Properties
Hence an Admin will have all the privileges in short an Admin here will be superAdmin
I want to assign limited privileges to the moderator and hence to the agents.
i am confused on how to Create a Database for this and also on how to implement it in my PHP Application.
thank you
It sounds like you are going to need a role-based access control system. Developing one is not
really a trivial task, so as already suggested, finding a framework or ready-made class that does
the job would be a worth while start.
Role Based Access Control
http://www.tonymarston.net/php-mysql/role-based-access-control.html
http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/
http://www.sitepoint.com/forums/showthread.php?threadid=162027
You should create a table wher you have to define all type of role.
and one table for users
relate different roles to different user Via linking two tables.
and some thing like this ......
The way that I have done this in the past was to create a users table in the database that had an access level (Admin, Moderator, and agents).
Then if you have a menu system, implement a check to see what privileges are needed for what links... Admins will see all links, Moderator will only see links he/she is supposed to, and agents will only see what they are supposed to see.
Also on the pages that you may want to restrict users you will want to check for the users access level. If they pass, they will see the page, if not, they will be redirected or a javascript error will need to pop up.
Something like the access level may do you some good to store it in a cookie as you can cut down your calls to your database.
Hope this helps,
Mike