Restricting pages to a certain group?

Teach

Hello! Okay, big question for you. I really hope I'm going to explain it properly and fully for you to understand. 🙂
I will appreciate any help you can provide me with this.

Okay, just to introduce the current setup, I have a staff area which is restricted, and has a PHP login system, which in turn sends our a PHP session stating an account name (of $_SESSION['account'];).

What I want to do now, is restrict certain pages within that staff area to certain account names, but because I want to do this on multiple ones... here is what I'd like to happen.

On a 'groups.php' I'd like to state arrays for about 3 groups, each containing account names - some of these account names need to be used in other groups too (for people that belong to more than just 1).

I was wondering then if on the pages I want to restrict to certain groups, I can use a same if statement to check if their username belongs in that group, and if so, allow them to see the page, or if not to echo out a message of 'Sorry, you do not have permissions to view this page'?)

Example groups.php:

$manager         = array('name1', 'name2', 'name3');
$hr              = array('name1');
$sales           = array('name1', 'name2', 'name3', 'name4', 'name5');
$support         = array('name1', 'name2', 'name3', 'name4', 'name5');

Any help with this would be appreciated! Thank you.

ednark

Why not wrap up your logic in a nice function. Each page would require_once() the page authenication script.. then ask if the current account is infact in the areas associated with this page... I threw together this as an example

PageAuth.class.php

<?php

/**
  * Written for static calling, Uses a HardCoded list to
  *  verify page access to areas
  * 
  *  Usage To Check From Account Name in Session:
  *     require_once 'PageAuth.class.php';
  *     $allowed_in = PageAuth::verifyAccess( 'hr' );
  *     PageAuth::verifyAccessOrDie( 'manager' );
  *     PageAuth::verifyAccessOrRedirect( 'redirect_to.php', 'sales' ); 
  *
  *  Usage To Check From Direct Account Name:
  *     $allowed_in = PageAuth::verifyAccess( 'hr', 'name1' );
  *     PageAuth::verifyAccessOrDie( 'manager', 'name1' );
  *     PageAuth::verifyAccessOrRedirect( 'redirect_to.php', 'sales', 'name1' ); 
  *   

  */
class PageAuth
{

  /**
    * Checks to see if an account is verified to access a certain area and 
    * if not takes action
    * 
    * @param  area  required, the area in which to check for the account
    * @param  account optional, if not specified, try and find in session
    * @return none
    */
  function verifyAccessOrDie( $area, $account=null )
  {
   if ( ! PageAuth::verifyAccess($area,$account) ) {
    echo 'Sorry, you do not have permissions to view this page';
    echo '<br /><a href="javascript:history.go(-1)">Back To Referring Page</a>';
    exit;
   }
  }

  function verifyAccessOrRedirect( $redirect, $area, $account=null )
  {
   if ( ! PageAuth::verifyAccess($area,$account) ) {
    //die(header("Location: $redirect"));
    echo 'die(header("Location: '.$redirect.'"));';
   }
  }


  /**
    * Returns True/False depending on whether a specific account is 
    *  whitelisted in a specific area
    * 
    * @param  area  required, the area in which to check for the account
    * @param  account optional,  if not specified, try and find in session
    * @return bool  true if this account in auth area, false if not or on error
    */
  function verifyAccess( $area, $account=null )
  {
    if ( $account===null ) {
      $account = PageAuth::findAccount();
      if ( $account===null ) {
        return false;
      }
    }
    $auth = PageAuth::getAreas();
    if ( !isset($auth[$area]) ) {
      return false;
    }
    return in_array($account,$auth[$area]);
  }

  /**
    * Returns a list of all areas, and associated accounts: should really 
    * be a database call im assuming
    * 
    * @return array hash of areas and thier accounts
    */
  function getAreas()
  {
    return array(
       'manager' => array('name1', 'name2', 'name3')
      ,'hr'          => array('name1')
      ,'sales'      => array('name1', 'name2', 'name3', 'name4', 'name5')
      ,'support'   => array('name1', 'name2', 'name3', 'name4', 'name5')
    );
  }

  /**
    * Pokes around php for the account name, SESSION perhaps?
    * 
    * @return mixed string on success, null on failure to find 
    */
  function findAccount()
  {
      if ( !empty($_SESSION['account']) ) {
        return $_SESSION['account'];
      }
      return null;
  }

}

?>

An overly complicated test script:

test.php

<?php

  session_start();

  require_once 'PageAuth.class.php';

/// grab anything from form
  $func = (!empty($_GET['func'])) ? $_GET['func'] : null;
  $area = (!empty($_GET['area'])) ? $_GET['area'] : null;
  $account = (!empty($_GET['account'])) ? $_GET['account'] : null;
  $redirect = (!empty($_GET['redirect'])) ? $_GET['redirect'] : null;
  $session_account = (!empty($_GET['session_account'])) ? $_GET['session_account'] : null;
  $_SESSION['account'] = $session_account;

/// run PageAuth function if we were asked too
  if ( $func ) {
    switch( $func )
    {
      case 'verifyAccess':
        echo "<h3>PageAuth::verifyAccess('$area','$account')</h3>";
        echo "Output: ". PageAuth::verifyAccess($area,$account) ? '<span style="color:green">PASSED</span>' : '<span style="color:red">FAILED</span>' ;
        break;
      case 'verifyAccessOrDie':
        echo "<h3>PageAuth::verifyAccessOrDie('$area','$account')</h3>";
        echo "Output : ". PageAuth::verifyAccessOrDie($area,$account);
        break;
      case 'verifyAccessOrRedirect':
        echo "<h3>PageAuth::verifyAccessOrRedirect('$redirect','$area','$account')</h3>";
        echo "Output : ". PageAuth::verifyAccessOrRedirect($redirect,$area,$account);
        break;
    }
    echo "<hr />";
  }

/// get info from PageAuth to display in form
    $funcs = array( 'verifyAccess', 'verifyAccessOrDie', 'verifyAccessOrRedirect' );

$areas = PageAuth::getAreas();
$area_list      = array();
$account_list = array();
foreach ( $areas as $area_name=>$account_names ) {
  $area_list[$area_name] = $area_name;
  foreach ( $account_names as $account_name ) {
    $account_list[$account_name] = $account_name;
  }
}
?>
<h2>Test PageAuth:</h2>
<form method="get">
  PageAuth::<select name="func">
  <?php foreach ( $funcs as $func_name): ?>
    <option value="<?php echo $func_name; ?>"<?php if ( $func==$func_name ) { echo ' selected="selected"'; } ?>><?php echo $func_name; ?>()</option>
  <?php endforeach; ?>
  </select>
  <br /><br />

  $area = <select name="area">
  <?php foreach ( $area_list as $area_name): ?>
    <option value="<?php echo $area_name; ?>"<?php if ( $area==$area_name ) { echo ' selected="selected"'; } ?>><?php echo $area_name; ?></option>
  <?php endforeach; ?>
  </select>
  <br /><br />

  $account = <select name="account">
    <option value=""></option>
  <?php foreach ( $account_list as $account_name): ?>
    <option value="<?php echo $account_name; ?>"<?php if ( $account==$account_name ) { echo ' selected="selected"'; } ?>><?php echo $account_name; ?></option>
  <?php endforeach; ?>
  </select>
  <br /><br />

  $redirect = <input name="redirect" value="<?php echo $redirect; ?>" />
  <br /><br />

  $_SESSION['account'] = <select name="session_account">
    <option value=""></option>
  <?php foreach ( $account_list as $account_name): ?>
    <option value="<?php echo $account_name; ?>"<?php if ( isset($_SESSION['account']) && $_SESSION['account']==$account_name ) { echo ' selected="selected"'; } ?>><?php echo $account_name; ?></option>
  <?php endforeach; ?>
  </select>
  <br /><br />

  <input type="submit" value="RUN TEST WITH THESE VALUES" />

</form>

<hr />

<h3>Current Auth Schema looks like this</h3>
<pre>
<?php

print_r($areas);

?>
</pre>

ednark

Ok here is an updated version which takes an array for the areas so you can check in multple areas for an account.

it should be attached as a zip