PHP/MySQL Permission Schema advice

Posted on 2011-04-18
Last Modified: 2012-05-11
I have a table that contains is laid out as so:

employee id   superman    admin    management    etc etc

Where each column is a permission set.  The values are either 0 or 1.

What I've been doing is in each program is the following:

if ($Superman == 1 || $Admin == 1)
 //Run the program

  die ("Not allowed);

What I'm wondering is how can I implement this better so I can handle all permissions and programs in the database table rather than hardcoding it in the database.

The only piece that is confusing to me is that one user may belong to three or four different groups.
Question by:t3chguy
    LVL 12

    Expert Comment

    by:Mohamed Abowarda
    Create functions that query about member permission and return bool true or false, something like:

    LVL 13

    Expert Comment

    You need more complicated DB.

    Eg: tbl_users, tbl_groups, tbl_user_group

    relation between users and groups defined by tbl_user_group

    This way, you can manage your user permission on the fly.
    LVL 27

    Expert Comment

    by:Lukasz Chmielewski
    I think you need a little less complicated database. You can setup only one column with a single value which is related to a permissions
    1 - normal user
    2 - admin
    3 - superadmin

    Hardcoding it in the database is not entirely possible. Depending on the position on the page, you can check for only one value from the database.
    LVL 107

    Expert Comment

    by:Ray Paseur
    Have a look at this article and the examples.

    It implements a one-line protection scheme.  All you need to say is

    access_control();  // PASSWORD-PROTECT THIS PAGE

    Or in the alternative:

    if (access_control(TRUE)) { /* CLIENT IS ALREADY LOGGED IN */ }

    With a little creativity you might modify that design pattern to use some define() constants that are coordinated with columns in your user table. Then you could have a statement like this:


    The idea would be that the access_control function would do more than simply test the session "uid" field - it would test the permissions, as well, depending on the parameters passed to access_control().

    Does that make sense to you? ~Ray
    LVL 1

    Author Comment

    Thank you for the suggestions so far.  I have about 1000 programs for an international company, so I'm a little nervous to hardcode anything in the programs dealing with permissions and whatnot in case they decide to add access to another group.  

    What i had in mind was something like dsmile suggeted above:

    Eg: tbl_users, tbl_groups, tbl_user_group

    relation between users and groups defined by tbl_user_group

    This way, you can manage your user permission on the fly.

    The only piece that I'm missing is what happens if one user belongs to two or three different groups?

    Can I just add them into the tbl_user_group more than once, one instance for each group?

    Also the hidden agenda behind this is building a dynamic navigation menu as well -- > that shows only the links that each user group has access to.
    LVL 107

    Accepted Solution

    Couple of thoughts come to mind.  The three-table idea inserts the "pivot" or "junction" information into the tbl_user_group.  This table has two columns - the key of the user and the key of the group.  As such it implements a many-to-many relationship between rows in tbl_users and rows in tbl_groups.  Users can be in multiple groups and groups can have many users.  And yes, you can manage your user permission on the fly.

    That said, you can also manage your user permissions on the fly with a defining column or a few defining columns in the tbl_users.  

    Not sure what your thinking is about the dynamic navigation menu, but if you have an interest in security, you need to know which scripts should be exposed to which clients, and the scripts themselves need to work or not work depending on the permission set for the client.  In other words, simply omitting a link to a script does not provide an acceptable security solution.  That's why some kind of mapping between users and scripts might also make sense.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Both Easy and Powerful How easy is PHP? (  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
    Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
    The viewer will learn how to count occurrences of each item in an array.
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now