[RESOLVED] Restricting Page Access

gitosh

Hey people,
I'm developing a web application using PHP and SQL 2000 database. What I need is to restrict web page access depending on the roles assigned to the user in the database. How do I go about it? any help will be highly appreciated

stolzyboy

check out sessions at php.net and use that in conjuction with mssql functions also at php.net

there you'll get a good start, once you get something up and running and hit a roadblock, come on back

hth,
stolzyboy

gitosh

Hello people,

I think it's important to let you know how far I've gotten in my project, first of all users are able to login to the site using user names and passwords assigned in the sql 2000 database. The problem is all the users are able to access all sections of the site. Well I need to restrict that based on the roles assigned to the user(these roles are assigned in the database). stolzyboy, I checked out the sessions and I'm using them to propagate the username and password across the site.
The problem is I'm not able to know which roles a user is assigned from the database, ie tables. I checked the sysusers table but it doesn't help much. I was trying to do that with the thinking that if I'm able to retrive all the roles for the user and put them in a recordset (in php), then I can be able to restrict the page access based on the roles. Is that the right approach to take? if so how should I do it, and if not which approach should I take? I hope my predicament is understood.
Thank you all in advance, all help will be appreciated.

Shrike

The database user is the one which logs into the database. At a guess I'd say that you use the same username and password for database access, meaning every request is done as the same user. If you want to use database roles then you'd need separate database logins for each user.

An easier solution would be to manage user roles with PHP. This can be as complex as you like, the simplest approach might be to assign each user to a group, and give each group a number of roles. Then when performing a login you can grab the set of roles for the group and act accordingly.

Rodney_H_

Hi, gitosh.

Shrike has some good advice for you here. You can have a column in your table called "user_access" or "privileges" (or whatever) and store the user's security access level there.

Then, when you are checking the user's login credentials (assuming each user has his/her own unique row in the db), you can determine what access level they have. Save that value in your session data store.

Then, based on that value, you can present content specific to their level....

If they try to access something they do not have authority to view, you can throw an error or just redirect them...

HTH.

gitosh

ok guys, I've moved on a bit but I got a problem on the way. The problem is how to load the roles for a particular user into a session. (The roles can be many). so that I enable page access based on them? I already have a stored procedure that returns the roles given user name.

Roger_Ramjet

Lots of ways to skin this cat depending on your architecture and preferences: are you using db abstraction? are you using classes? etc?

My prefered method, whatever the platform and paradigm, is simple boolean switches.

In vb I use 'rules' in the GUI:

if CanChange() then
   ...
end if

CanChange() is a simple get that returns True/False from a global class of user privileges.

In php I would suggest the following

Create a series of BIT columns in the 'user_roles' table, each one named for an access privilege and set to True/False per role. When your stored proc returns the user role it should return the BIT columns as well.

Then just push them into the session array, eg your login function returns a row with user name, password, role and all bit columns, or false if login authentication failed.

if (!$login) {
   // boot them off to somewhere
} else {
   foreach ($login as $key=>$val) {
      $_SESSION[$key] = $val;
   }
}

// then when you build your menu

if ($_SESSION['add_user']) {
   echo '<li><a href="adduser.php">Add User</a></li>';
}

// if they don't have the add user privilege then it just won't be on the menu to start with
// you could also check it at the top of the adduser.php page

if (!$_SESSION['add_user']) {
   echo 'YOU ARE NOT ALLOWED TO DO THAT';
   exit;
}

Once a user has logged in then all the privileges are set automatically no matter the role. Because it is using the session array it can be done anywhere whether in a class or function or whatever.

The beauty of this is the flexibility, role privilege changes then just change the value in one column; add role then at the same time set the flags; new functionality then just add a column to the table and set the flags for each role.

You can get really funky with this if you use the exact same names for the column, privilege, script etc cos php lets you use variable var names - but I would not trust it myself.

gitosh

ok people, I have encountered some problem. To retrieve the roles associated with the user, I need to first retrive the user id from the database and then supply that id to the stored procedure that retrieves the user roles. Obviously the user id is one record and that's where the problem is.
To test if I'm returning any data from the DB, I usually echo the result first before proceeding, when I echo the result (of the first query that retrives user id) nothing is shown on the web page. But when I count the result, it shows that one record was returned. therefore when I try to pass the user id to the other query, nothing happens.
(I've encountered this problem before where the result displayed is one less the actual result returned and never managed to solve it.)

here is my code. (That returns the user id)

if (!($username))
{
 echo "User Name not provided";
}
else
{
 $sqlquery=mssql_init("Gssp_GetUserUid",$sqlconnect);
 mssql_bind($sqlquery,"@username",&$username,SQLVARCHAR);
 $result=mssql_execute($sqlquery);
 $numrows=mssql_num_rows($result);
 if(mssql_fetch_array($result))
{
  while($row=mssql_fetch_array($result,MSSQL_BOTH))
  {
    $uid=trim($row['uid']);
  }
  }	
echo $username;   // returns the name used during login
echo $uid;            // returns nothing
echo $numrows;  // returns 1
 }

Roger_Ramjet

Well you should not be doing it that way anyway. Either join the user table to the roles table in the proc select, or more properly create a stored view that does this and then select from the view in your proc. 1 query is all you need.

gitosh

Ok people, thanks a heap, phpbuilder rocks, I'm finally able to regulate page access.