[RESOLVED] need help determining best way to implement user permissions on login system

schwim

Hi there guys,

I'm trying to alter my script to allow multiple admins, with different permissions to be appointed in the backend. For instance, one admin can do absolutely anything, another can only add and edit, and yet another can add or delete.

So we have:

add
edit
delete
super

I've altered the user's table in the database to hold values for this. Now what I would like to do is alter the portions of my script that will now need to check for the proper permissions.

My question is; what is the best way to go about this? Just make a call to the db on page generation and do an if/else statement to handle whether it gets presented or not?

I would appreciate any suggestions on the cleanest and most efficient way to take care of this.

thanks,
json

NogDog

If you are using a sessions based login system, you can simply add those permissions to the $SESSION array upon successful login. Then on those pages or operation that require special permission, check for the existence of the applicable $SESSION variable with the correct value, e.g.:

if(isset($_SESSION['edit']) and $_SESSION['edit'] == true)
{
   // allow edit action on this page
}
else
{
   // output error that user does not have adequate permission to do this
}

schwim

Hi there nogdog,

So, something like this?

When logging in, simply pull the data from the db, then:

$_SESSION['edit'] = $row['edit']

and that's it?

I see in my script that it's setting username and password with session_register, but php says that's depracated, so I should probably get rid of that.

thanks for your help,
json

NogDog

Yes. Assuming you are not using a really old version of PHP, the $_SESSION array should be used now instead of the old session_register() function.

schwim

Hey there nogdog,

I seem to be doing something incorrectly.

I did the following to get the new information to populate the session vars:

$query = "SELECT * FROM ".$prefix."admin WHERE username='$myusername' and password='$encrypted_mypassword'";

$result = mysql_query($query) or die('MySQL error: ' . mysql_error() . '<hr/>' . $query);



// Mysql_num_row is counting table row

$count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){

// Register username and password, then redirect to Admin index.
session_start();

$_SESSION['myusername'] = $myusername;

$_SESSION['mypassword'] = $mypassword;
$_SESSION['perms_configure'] = $row['perms_configure'];
$_SESSION['perms_add'] = $row['perms_add'];
$_SESSION['perms_edit'] = $row['perms_edit'];
$_SESSION['perms_delete'] = $row['perms_delete'];
$_SESSION['perms_super'] = $row['perms_super'];

//Where are we going after logging in?

header("location:index.php");


} else {

Which gets my login working correctly again. However, in the menu of the admin page, I made a couple links dependent on perms_configure or perms_super being '1'. The links aren't showing up. If I attempt to echo either, it's blank, so obviously, I'm not setting my session variables correctly.

Any suggestions are welcome.

thanks,
json

schwim

Resolved it by adding:

while ($row = mysql_fetch_assoc ($result)) {
	$perms_configure = $row['perms_configure'];

$perms_add = $row['perms_add'];
$perms_edit = $row['perms_edit'];
$perms_delete = $row['perms_delete'];
$perms_super = $row['perms_super'];
}

doh.

thanks,
json