My tool uses:
PHP for scripting.
mySQL for DB.
Apache for host.
There will be 2 groups of users.
I want to give access to 1 group of users only for 2 webpages.
The other group of users will have the access for all the pages and links.
Is there a way I can hide certain links on a webpage from a certain group of users, too.
How can I achieve this.
Fairly new to programming.
Any help will be greatly appreciated.
Thank you.
Lets say, Admin & normal user.... in that case we will have a column in the user table which will store he/she is admin or not. When you do authentication, fetch this value & keep it in SESSION. So in every page you check this person is admin or not with that session value using if clause.
It's hard to give any fitting exmaples without code, but if you have a MySQL and know some PHP, the basic way of solving this problem would be connecting to the database, checking what group the currently logged in user is (check by ID or however you set things up) and wrapping if statements around the links you want to hide from certain people that check if they belong to the right group to see said pages. You can also hide the pages from them by just putting a check whether they can see the page content or not on top of the content and throwing some sort of no permission error when needed. For this basic example hard-coding the groups into the files should be sufficient. If you plan on expanding all this later on, I'd maybe make a seperate table in your database controlling page view permissions.
You can also include HTML code in your PHP if statements by just closing the PHP section after the if (?>) and put the closing bracket of the if at the end of your HTML menu for the secret group (<?php } ?>).
If you provide us with some code snippets, we can maybe help you a bit more with examples.
There are many ways you could achieve this.
How to 'hide' the page
A good way to really hide the pages would be to check the type of user before displaying anything. If the type of user has access to the requested page, display it. If the user does not have access, you could send a 404 page not found error.
This way, user which does not have access to the page wont even know the page exist even if they have the URL.
Authenticate the user
As mentioned by Akhil Sidharth, you can use a $_SESSION variable to keep the type of the user trying to view the pages.
Every application now a days is using group, permission and capabilities to restrict site/application users from accessing the page/content/link within the site/application. Sometime group might be refereed as role to organize users. Let me describe -
Group/Role - Role might be - Admin, Manager, Employee, Customer etc. Your application should have role management system where you can manage(add/edit/delete) the roles/user-groups. These roles should be stored in DB tables.
Permission - Permission might be Allow, Deny, Restrict etc.
Capabilities - Capabilities might define the list of works/actions/activities that a user can take on your site or on a particular page. Some examples are - a. Can View XY*Z link b. Can View X*B page c. Can create user d. Can assign permission e. Can change permission etc.
Apart from this, your application should have two addtional management page -:
Configure capabilities & permission for the said roles, where you can configure and set capabilities either 'Allow'/'Deny' for the roles.
Role to users - This is the page where you can put the users into a particular role.
In this way you have the idea, what a particular users have rights/permissions to do on the site & restrict the users over accessing the contents/pages/links accordingly.
Alternatively, the simplest way for you now is to add a 'type' field in your user DB table. Add a drop down of users types where you are creating/updating the user & save the user type in your user db table. Restrict the user on the basis of user type accordingly.
Related
I am looking for some sort of method to have a user based system for a wordpress site.
Basically a user will be able to store simple pieces of information.
These pieces of information will then be displayed when the user logs in.
I notice in Wordpress you can have users login to something like an admin section, all i would like is the user to login from the homepage, and then redirect to one page that allows a user to add information, the information is based on variables added to a google map. the information added to the map should then be saved.
This information can then viewed by all users of the site
i have looked at Buddypress and wpsymposium but i think it is a little overkill for what i want.
Any ideas on how i could get this going?
There are several ways you can go about doing this. You can either:
Create your own user table (ID, username, email, password, etc.) and
a separate data table for the information you want to store for each
user. This would not exist as a part of the Wordpress Framework, but instead simply be displayed from within your Wordpress Installation.
You can look into a combination of hooks to create the environment you want for your users that exists as an extension of Wordpress itself. Look into Adding Roles for these users. You will also have to define their Capabilities as well. From there, you can either Create A Menu Page for those users to enter their information, or use a combination of Custom Post Types and Custom Meta Boxes to provide an environment for your users to work within.
Since you're using this specifically for Google Maps, I would say that the second option would be overkill, especially if your users aren't expected to log in very often. The benefit to the second approach, however, is that you would be able to utilize the information provided in each post in more than one way if you wanted to.
Weigh your options, and see what suits your - and your users' - needs best.
I am planning to build a site which will have members and member uploaded content. I need to choose between the following:
a) A separate interface for admins and users
b) Same interface for admins and users
For example, a particular module 'yellowpages', would have listings uploaded by members. When the owner of the listing visits the page, they will be displayed edit/delete links by checking their session data against the database. The same will be displayed to an administrator. These links will not be visible to public users. The edit/delete functions will also check if the user is the owner/or is an admin so as to avoid the public from accessing the edit/delete URLs direclty.
Also, if the user is an admin, an additional navigation bar will be displayed on the top which has links to functions that will add/edit/modify site settings and everything.
So my question is, is the above a good way to do it? or to have separate interfaces for users and admins like http://philsturgeon.co.uk/blog/2009/07/Create-an-Admin-panel-with-CodeIgniter
There is another options too. And I Prefer this.
C) Mix Both (a) and (b) Options of Yours
Create a separate interface for admins.
which includes admin listing and managing of users and listings (edit/delete/ban user etc..)
Plus You can use users and permissions type of situation.
For Ex.
Add a table permissions user type can be admin, guest, registered,
moderator etc..
Depend on login type : session will be stored and as
per session in front end the operations will be displayed.
Ex.:
guest will not see "add comment" link ;
registered can add comment +
listings + edit own listing ;
moderator can edit anyone's listing ;
admin has all rights.
Depend on your application and time you can add as much as you want.
I wrote as per globalization of any application.
If you gona use same interface it whould be less secure. Intruder would be theoretically able to become admin throug user interface. Also while programming you will have to keep in mind that some methods would be used by user and admin both - so ypu can simply forget something letting intruder some way to go. I'd beter create one class with methods used by admin and user (i.e. edit(), delete()) and extend it with two classes - user and admin.
My RealEstate PHP Application have following user groups,
Admins,
Moderators
Agents
i want to specify following permission to the following users.
Admins - >
Can Create Moderators,
Can Create Agents,
Can Insert Properties,
Can Update Properties,
Can Delete Properties
Hence an Admin will have all the privileges in short an Admin here will be superAdmin
I want to assign limited privileges to the moderator and hence to the agents.
i am confused on how to Create a Database for this and also on how to implement it in my PHP Application.
thank you
It sounds like you are going to need a role-based access control system. Developing one is not
really a trivial task, so as already suggested, finding a framework or ready-made class that does
the job would be a worth while start.
Role Based Access Control
http://www.tonymarston.net/php-mysql/role-based-access-control.html
http://www.sqlrecipes.com/database_design/fine_grained_role_based_access_control_rbac_system-3/
http://www.sitepoint.com/forums/showthread.php?threadid=162027
You should create a table wher you have to define all type of role.
and one table for users
relate different roles to different user Via linking two tables.
and some thing like this ......
The way that I have done this in the past was to create a users table in the database that had an access level (Admin, Moderator, and agents).
Then if you have a menu system, implement a check to see what privileges are needed for what links... Admins will see all links, Moderator will only see links he/she is supposed to, and agents will only see what they are supposed to see.
Also on the pages that you may want to restrict users you will want to check for the users access level. If they pass, they will see the page, if not, they will be redirected or a javascript error will need to pop up.
Something like the access level may do you some good to store it in a cookie as you can cut down your calls to your database.
Hope this helps,
Mike
I am doing new project in symfony1.4. Now this project requires users to log-in and browse, and as any project of this type requires a way of restricting users based on roles.
I don't want to implement this in obvious way, i.e to have roles attribute for each user and have pre-defined roles and assign these to users. The problem with this is it's not very flexible as more roles get defined later.
I was thinking on the lines of using an EAV model here, (not sure I can do that in symfony). What you guys think, do you have any better suggestions to make user roles much more flexible when they get added or deleted.
Also, what is the best way to display the page based on user roles, as I want some elements to be hidden according to the roles. Should I compare the role in each page and hide elements on every page? Is there a better solution?
Please shed some light on these.
Thanks
The sfDoctrineGuard plugin (http://www.symfony-project.org/plugins/sfDoctrineGuardPlugin) is a pretty comprehensive way of handling user authentication, groups and credentials. Users can be set permissions either individually or as a group, and access to specific page sections or entire actions can be restricted based on those permissions. You can set new user credentials in the controller code itself, e.g.
<?php
$this->getUser()->setCredential('editor');
?>
And verify that a user has particular permissions in views:
<?php
if ($sf_user->hasCredential('editor')) {
// stuff only for editors
}
?>
This page has lots of extra info on the plugin not covered by the readme file - http://trac.symfony-project.org/wiki/sfGuardPluginExtraDocumentation (although it refers to Propel rather than Doctrine). Also the following series of short tutorials is pretty useful:
http://www.finalconcept.com.au/article/view/symfony-user-management-sfdoctrineguard-installation
http://www.finalconcept.com.au/article/view/symfony-user-management-sfdoctrineguard-administration
http://www.finalconcept.com.au/article/view/symfony-user-management-sfdoctrineguard-securing-actions
And the Symfony tutorial page on users:
http://www.symfony-project.org/jobeet/1_4/Doctrine/en/13
How can i manage user permission?
i need a fast method to manage users (accsess to a page or dont accsee to a page) when they login?
You may want a simple solution but it's not a simple question.
At one end you could have individual permissions for each page for each user. That gives you a lot of flexibility but it would be an administrative nightmare. At the other end you could give users access or not to the whole site. Not very flexible but very easy to administer and code for.
The first is fine-grained. The second is coarse-grained. The whole point of finding an authorization scheme is to define one that is as fine or coarse grained as you need to balance flexibility and administration/development.
Two common schemes that may be of interest to you:
Give each user a type in the database. When they log in put that type (eg User, Admin, Moderator) in the session and check that on each relevant page;
Give each user one or more roles (so someone could, say, be both an Admin and a Moderator or just one of them or neither). This requires a separate table (users and userroles) and putting probably an array in the session to indicate roles but is more flexible than (1). Role-based authorization is very common.
There are many, many variations upon these two and just as many alternatives. Various schemes can be combined.
This is why generic authorization libraries for me fall short because they have contrary needs of being broad enough to cover a large number of use cases and being coarse-grained enough to be useful for the individual user.
Implement an ACL system.
A group of users form a role
A user may belong to many roles
Privileges are defined in the application - example, create user, post article. etc
Add privileges to roles via admin interface
Before the page loads, check ACL. If user belongs to a role with the required privileges for the requested page, allow user to continue. Else redirect to access denied page.
It can be easily achieved using third party libraries like Zend_Acl
Choose a library you are comfortable working with. But the basic idea remains same.