Restricting Access to Menu Options
This is a discussion on Restricting Access to Menu Options within the PHP Language forums, part of the PHP Programming Forums category; Good morning everyone. I'm building a very simple content management site that tracks "tasks." The options available ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-06-2006
|
|||
|
|||
Restricting Access to Menu Options
Good morning everyone.
I'm building a very simple content management site that tracks "tasks." The options available are: 1. Add Task 2. Edit Task 3. View Task 4. Print Task I need to restrict some users to only View and Print and I'm trying to find a way to tell the page not to load the menu options (the text) for those not having access to the Add and Edit functions. IOW, they would only see View and Print. I have three basic users: 1. System Admin 2. Subject Matter Expert (SME) 3. Viewers Obviously the System Admin and SME will have full access so it's the Viewers that are to have access to only View and Print. I have a users table but haven't set it up for the distinction. What I was thinking was creating a field labeled users_group and assign a numeric value for each user using the numbering system above. I have my page load the menu options: <a href="home.php" class="navlink">Home</a><br /> <a href="view_tasks.php" class="navlink">View Tasks</a><br /> <a href="edit_task.php" class="navlink">Edit Task</a><br /> <a href="add_task.php" class="navlink">Add Task</a><br /> into here... <BODY> <table width="90%" border="1" cellspacing="10" cellpadding="0" align="center"> <tr><td colspan="2"><h1 id="mainhead">ICAO Tasks — WAFS</h1></td></tr> <tr> <td align= "center" valign="top" nowrap="nowrap" width="10%"> Menu<br /> <?php include ('./includes/menu.html'); ?> </td> <td valign="top" class="content"> How can I tell the system not to load the last two lines unless they are a System Admin or SME? I read a chapter on Cookies/Sessions...but it wasn't that helpful for this case. Can I setcookie('user_group', '3') and use that somehow??? Am I in the ballpark with this solution? Thanks. Ward 
|
|
03-06-2006
|
|||
|
|||
|
Re: Restricting Access to Menu Options
>I'm building a very simple content management site that tracks
>"tasks." > >The options available are: > 1. Add Task > 2. Edit Task > 3. View Task > 4. Print Task > >I need to restrict some users to only View and Print and I'm trying to >find a way to tell the page not to load the menu options (the text) >for those not having access to the Add and Edit functions. For an application like this it is very important that you check if the user is authorized when they try to EXECUTE that function, not just when they bring up the menu. Hint: users are added and deleted, and they sometimes change jobs. Browsers cache pages and people can manually type in links. >IOW, they would only see View and Print. Presumably, it is also important that they can only DO View and Print. >I have three basic users: > 1. System Admin > 2. Subject Matter Expert (SME) > 3. Viewers > >Obviously the System Admin and SME will have full access so it's the >Viewers that are to have access to only View and Print. Do you already have a way of telling which type of user is logged in? I recommend using sessions to store that info after getting it from the login page. >I have a users table but haven't set it up for the distinction. What >I was thinking was creating a field labeled users_group and assign a >numeric value for each user using the numbering system above. Typically this sort of thing is done by an "access level" number. It may be attached to individual users or groups of users. Each function has an access level required to use it. This isn't suitable for every setup (e.g. A needs privileges B doesn't have, and B needs privileges A doesn't have), but it fits many situations. >I have my page load the menu options: > ><a href="home.php" class="navlink">Home</a><br /> ><a href="view_tasks.php" class="navlink">View Tasks</a><br /> ><a href="edit_task.php" class="navlink">Edit Task</a><br /> ><a href="add_task.php" class="navlink">Add Task</a><br /> Then you'd typically do something like this: ... fetch $access_level from database based on user here ... if ($access_level >= 5) { echo '<a href="edit_task.php" class="navlink">Edit Task</a><br />'; echo '<a href="add_task.php" class="navlink">Add Task</a><br />'; } > >into here... > ><BODY> > ><table width="90%" border="1" cellspacing="10" cellpadding="0" >align="center"> > > <tr><td colspan="2"><h1 id="mainhead">ICAO Tasks — >WAFS</h1></td></tr> > ><tr> ><td align= "center" valign="top" nowrap="nowrap" width="10%"> > Menu<br /> > <?php include ('./includes/menu.html'); ?> ></td> > ><td valign="top" class="content"> > > >How can I tell the system not to load the last two lines unless they >are a System Admin or SME? Use conditional execution, probably within the included file. >I read a chapter on Cookies/Sessions...but it wasn't that helpful for >this case. Yes, it can be. You can look up the access level at login and set in a session value. Later you can look at $_SESSION['access_level'] and allow or not allow certain actions. Session variables are not stored on the browser but cookies are (and can be fiddled with). >Can I setcookie('user_group', '3') and use that somehow??? If you don't have a way to tell what user is logged in, work on that first. Cookies are stored on the browser, and therefore they are forgable. I recommend that you look at what user is looked in, and check what access that user has *every* *single* *page* where it matters. Don't forget that it's more important to not let low-level users DO an update than it is to not let low-level users see a menu item for an update. Gordon L. Burditt
|
Linear Mode
