Odd problem with access control system

jacobee

I'm attempting to create an access control system that would not only allow an entire page

to be restricted but portions of a page to be restricted to those users with the proper

rights. I've got the users/groups system setup already.

What I've got so far is this:
The code responsible for checking user rights and restricting access to a document or

portion thereof is in a separate file that can be require()ed by any page that I wish to

restrict access to. I'll call it access.php for purposes of explanation.

I've got a second script called restricted.php that would look something like the following

<?php

require("access.php");

#DOC_START

//code before this point would be accessible to any user with rights to access

restricted.php

#START
//code between #START AND #END would only be executed for those users with rights to access

this block of code
#END

//normal access restrictions for restricted.php resume

What happens is that when access.php is called it reads the contents of restricted.php into

an array and removes all code before #DOC_START. It then checks to see if the user has

rights to access the block of code between #START and #END. If the user doesn't have access

the array elements corresponding to the lines between #START and #END are removed via

array_splice(). The array is then implode()ed into a string $code. $code is then eval()ed

and execution of the script stops inside access.php before continuing on through the main

body of restricted.php. The problem I am having is that if a user isn't supposed to have

access to the #START/#END block of code it is still being executed. The strange thing is

that if $code is printed out to the browser instead of being eval()ed what is printed has

the code between #START/#END removed.

I thought long and hard about how to achieve my goal with minimal change to the original

source file (in this example restricted.php) and not having to add any new logic to the

scripts that I wanted to restrict. This method was the only possible implementation that I

was able to conceive.

If anyone has any idea about whats wrong or can think of a better/simpler way to achieve the

desired effect your comments would be appreciated.

thanks - jake

kparker

If you have to modify each file to add the inclusion of access.php and the special markers, why not just replace the markers with the correct logic to display/not display that section?

jacobee

I wanted to abstract the access control system from the rest of the project I\'m working on. I only wanted to write the access control code once and use it in all documents that required it\'s functionality.

The actual access.php script does other things aside from stripping out the parts that the user doesn\'t have access to. It is responsible for parsing the scripts it\'s require()ed and adding the user rights data to the access control database. It also checks to see if a document has changed since being added to the access control database to determine whether or not any changes have been made that require the document to be reparsed.