Track users in a privilege based system

simanta

Hi,

I am developing a web-based app which has several modules and access to all these modules are based on privileges. These privileges are granted to the user at the time when he is added into the system. Now, my problem is, how can i prevent a user from moving into a module for which he has no privileges.

For example, consider two modules which consist of four pages each:
Module1:- PageA -> PageB -> PageC -> PageD; and
Module2:- PageW -> PageX -> PageY -> pageZ ....

I have prevented a user Mr.X from accessing the module "start" page, PageW, because he does not have the required privileges for Module2. But he can access PageA as he has access to Module1. In the course of going through ModuleA, Mr.X can decide to "switch" to Module2 by simply typing in the URL for PageY. This is what i want to prevent.

One way, I think, is to write the privilege_id into each page (intermediate or otherwise) and cross-check with the user's privilege at the time of access. But sometimes a page may belong to multiple privileges, and there can be other complications too.

Is there a better way to handle this?

terje-s

I have done something pretty simular in one of my web-based applications. However, I think my access control system is pretty advanced, and I could not be bothered to explain how this is done. However, lets say you have a set of .php files belonging to module1 or module2 (or whatever). You know what pages these are, and hence no dynamics are required.

Write a function that checks whether or not a user is allowed to view a page belonging to a certain module, e.g.

function user_module_isallowed($userID, $moduleID) {
// perform some funky db calls and check whether or not the user has access to $moduleID or $moduleName or whatever you call the paramter. Return 0 or 1 if the user does not (or does) have access
}

On the top of each page, simply include whatever file you wrote this function in, and check whether or not the user is allowed to view this page. E.g.

if (!user_module_isallowed($userID, 1)
header("Location: http://www.site.com/error.php");

This should be sufficient I suppose.. ?

ame12

In addition to what Terje said (which is good advice) what I always do is include at the top of all my php files:

<?php include("prehead.php"); ?>

this is a pre-header (before any html is output). What you can do in this prehead code is something like the following (I also use it for general initialization stuff) in pseudocode:

1) what group(s) is this user a member of
2) does this page ($PHP_SELF) match up w/at least one groups

You can use an array to store each page (key) and the groups for which access is allowed (value).

My recomendation is to make everything (access-related) group based. That way you can just pull people in and out of groups rather than try to manage individual users and all of their rights.

RW

===========================================
http://badblue.com
Small footprint P2P web server for Windows,

File-sharing, PHP, wireless apps & more