Hello everyone, im new to these forums and i dont really know much but this looks like a really good place to ask some php questions. To begin im not really that good with php but im good with html/css. I have started a new website where people can add blogs and admins can make updates on the main page using a simple "INSERT $fields into a database".
I have set up a userlevel field on the database containing the users and the numbers are "1" which is the standard user and is given on sign up. "5" which is a moderator and "9" which is an administrator".
I have this peice of code defining this in constants.php

  

  define("ADMIN_NAME", "Admin");
  define("MODERATOR_NAME", "Moderator");
  define("GUEST_NAME", "Guest");
  define("ADMIN_LEVEL", 9);
  define("MODERATOR_LEVEL", 5);
  define("USER_LEVEL", 1);
  define("GUEST_LEVEL", 0);

and in another file called sessions.php i have made a function for admins and moderators like this :

  

 /**
      isAdmin - Returns true if currently logged in user is
      an administrator, false otherwise.
    */
   function isAdmin(){
      return ($this->userlevel == MODERATOR_LEVEL ||
              $this->username  == ADMIN_NAME);
   }

   /* isModerator - Returns true if currently logged in user is
      an moderator, false otherwise. */

   function isModerator(){
      return ($this->userlevel == MODERATOR_LEVEL ||
              $this->username  == MODERATOR_NAME);
   }

Ok that works because if my level is 9 and i put this piece of code in any page :

if($session->isAdmin()){
  code here
}

and it works the same with $session->isModerator()) when my level is 5.

BUT heres the problem, if i put $session->isModerator and place links, i can only see if my level is 5, how can i fix this so if my level is 9 and i can see isModerator functions and isAdmin but moderators can only see their functions. Its tricky to explain.

For example i could have

echo "You are logged in as $user";
if($session->isModerator()){
   echo " (<a href=\"#\">Moderator Base</a>)";
}
if($session->isAdmin()){
   echo " (<a href=\"#\">Admin Panel</a>)"
}

So if your a user you just see "Your logged in as $user", if your a moderator you see that and the "Moderator Base" link and if your an admin you would see the "Your logged in as $user" the "Moderator Base" and the "Admin Panel" link ??

Its tricky to explain but if anyone can help me i would really appreciate it. Thank you for taking time out to read this.

    I always prefer to create roles and assign users to those roles. Then I just do a check like:

    <?php
if ( $session->user_in_role('moderator') ) {
   //do moderator something...
}
?>

    A user can be assigned to many roles. This let's you be very specific with what any given user can do.

      Yes but that gives me the same problem once again, if they're in the role moderator then they will see the moderator code and if they're in the role admin then they will see the admin code but the admins still wont see moderator code though.

      Any advance on a simple way of changing my coding ?

        Well, my point is if you wanna have more flexibility and avoid very long conditions in if statements (ie. you want your application to grow more easily) then you may wanna do a role based permission system like I suggested. In your case in the present you can easily just do an "or" for your if statement condition:

        <?php
if($session->isModerator() || $session->isAdmin()){
  code here
} 
?>

        See how that if statement condition could get really big if you added several more static roles?

          I suppose I need to be more specific (sorry)...

          Works like this:

          create a users table, a roles table, and a user_roles table:

          next, create your roles in the roles table (numbers are auto incremented ids):

          1-guest
          2-regular
          3-moderator
          4-admin

          So say we have a user in our users table:
          1-you

          So we assign you all the roles in user_roles:
          userid-roleid
          1-1
          1-2
          1-3
          1-4

          This means, when we code it, that your user will pass any user_in_role() test.

          Now, when the user logs in, do a join query and put all those roles in a session array:

          So yours would be found in $_SESSION['roles'] (that you build on login) and would be equal to array('guest','regular,'moderator','admin').

          Now you can very simply do a user_in_role() function:

          <?php
function user_in_role($role) {
  return in_array($role, $_SESSION['roles']);
}
?>

          This makes it so that if you encounter:

          <?php
if($session->user_in_role('moderator')) {
  //do moderator-only thing
}
?>

          ...or...

          <?php
if($session->user_in_role('admin')) {
  //do admin-only thing
}
?>

          Your user has access to both. The guest role may be redundant but you get the idea I hope.

            Couldn't you just do a >= comparison?

            function isAdmin()
{
   return ($this->userLevel >= ADMIN_LEVEL);
}
function isModerator()
{
   return ($this->userLevel >= MODERATOR_LEVEL);
}
// etc....

              Here's how I'd do it. I'd go over to http://framework.zend.com and download their 1.6 release (requires that you register for some ungodly reason). Then extract just Zend/Acl.php, Zend/Acl/* and Zend/Exception.php. Those few files allows you to then do something similar (albeit better) to what bretticus was trying to explain.

              With a properly set up Access Control List (ACL) you can define as many roles as you want, and customize them based upon what they can do. You say you have 4 roles: Guest, User, Moderator, Admin. Effectively you can say "Guests can only view posts" and Users can do anything a guest can do PLUS create posts in their specific blog and comment on other blogs. With that, we can say Moderators can do all of what a User can do PLUS modify posts and comments in any blog (or whichever blogs they're associated with if you want to limit them). Finally Admin has all the Moderator's powers, except they can do anything globally plus create new blogs.

              So you can see how the power tree works:

              |                 |  Guest  |  User  |  Moderator  |  Administrator  |
+-----------------+---------+--------+-------------+-----------------+
|  View           |   Yes   |   Yes  |     Yes     |       Yes       |
|  Comment        |   No    |   Yes  |     Yes     |       Yes       |
|  Post           |   No    |   Yes  |     Yes     |       Yes       |
|  Edit Own       |   No    |   Yes  |     Yes     |       Yes       |
|  Edit Others    |   No    |   No   |     Yes     |       Yes       |
|  Edit Comments  |   No    |   No   |     Yes     |       Yes       |
|  Create Blogs   |   No    |   No   |     No      |       Yes       |
+-----------------+---------+--------+-------------+-----------------+

              User inherits guest; Moderator inherits User; Administrator inherits Moderator. So now you can generate your ACL properly. Here's a short example:

              <?php

include('Zend/Acl.php');

// Create a new access control list
$acl = new Zend_Acl();

// Create our roles
$guest = new Zend_Acl_Role('guest');
$user = new Zend_Acl_Role('user');
$moderator = new Zend_Acl_Role('moderator');
$administrator = new Zend_Acl_Role('administrator');

// Add our roles to the ACL
$acl->addRole($guest);
$acl->addRole($user, $guest);
$acl->addRole($moderator, $user);
$acl->addRole($administrator, $moderator);

// Set up the permissions:
// "null" means "any resource"...
$acl->allow($guest, null, 'view');
$acl->allow($user, null, array('post', 'edit-own', 'comment'));
$acl->allow($moderator, null, array('edit-any', 'edit-comments'));
$acl->allow($administrator, null, array('create'));

/* Alternatively the above could be written:

$acl->allow($guest, 'post', 'view');
$acl->allow($user, 'post', array('create', 'edit-own'));
$acl->allow($user, 'comment', 'create');
$acl->allow($moderator', 'comment', 'edit');
$acl->allow($moderator', 'post', 'edit-all');
$acl->allow($administrator', 'blog', 'create');

*/

              Now you can query it like:

              $acl->isAllowed($userrole, null, $permission);

              That will return a boolean true or false. If you set up your permissions the alternative way (specifying resources) then you would query it like:

              $acl->isAllowed($userrole, $resource, $permission);

              For example...

              // First way
$acl->isAllowed('guest', null, 'comment'); // False
$acl->isAllowed('moderator', null, 'edit-own'); // True
$acl->isAllowed('user', null, 'post'); // True
$acl->isAllowed('user', null, 'create'); // False
$acl->isAllowed('administrator', null, 'edit-any'); // True

// Alternative way
$acl->isAllowed('guest', 'post', 'edit'); // False
$acl->isAllowed('moderator', 'comment', 'create'); // True
$acl->isAllowed('user', 'blog', 'create'); // False
$acl->isAllowed('user', 'post', 'edit-own'); // True
$acl->isAllowed('administrator', 'blog', 'create'); // True

              Much more flexible, and you can even set these up in a database. Have one table be user roles, and another table with resources, and a third table with the mapping of role to resource and if it's permitted or not.

              Just another alternative.

                Thanks everyone for contributing, but for now i am just using the simple method as said above of using "$Moderator >= MODERATOR_LEVEL and $Admin >= ADMIN_LEVEL". As the coding gets mode advance i may change the way but for the now that will do 😛
                Thanks everyone for the help 😛

                  Write a Reply...