PDA

Click to See Complete Forum and Search --> : multi level access - security

niladhar8@gmail.com
May 13th, 2009, 01:35 PM
i am using php with mysql, i wish to learn on how i can have multi level security on the back end of a website.

I want certain people to view certain pages, like the admin has complete control, and manager has 80% control, and end user has 40% or something like that.

I have used sessions to currently register the person who has the correct username and password ... below is the code

//on successfull match in database
session_register("myusername");
session_register("mypassword");


and on every page i check the following



<?php
session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>



but now if i type in directly the url of a file that only the admin should have access to it shows up.
Any help or pointers please.

thanks
PeejAvery
May 13th, 2009, 02:13 PM
Within the database you should have permissions set on the users table. You could easily create specific columns and give them a Y or N depending on the rights.
niladhar8@gmail.com
May 13th, 2009, 11:25 PM
Within the database you should have permissions set on the users table. You could easily create specific columns and give them a Y or N depending on the rights.

oh, yes i do understand that but on the display interface i dont want to work it that way. Let me be alittle more specific.

Say i have 2 files general.php and non_generic.php, after the login authentication i wish to display general.php to normal users and non_generic.php for admin, i can achieve this with an if condition and a redirection header, but if i go ahead and type in the url the other file name it gives access to it. I have a session.php file included on top of every page which checks if the user who wants to view the page is logged in or not and there i do try and check if the session id i stored on the login check page still satisfies but it doesnt work.

i hope you can provide me with an elaborated solution
PeejAvery
May 14th, 2009, 06:16 AM
Within that session.php file, you should also be checking for rights at the top of every page. If your access levels only restrict to certain pages, then why not just build an array of pages per user. Then to check for access, simply use in_array(). If the page doesn't exist in the user's array of pages, block the access or redirect away from the page.