[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


PHP/MySQL Permission Schema advice

Posted on 2011-04-18
Medium Priority
Last Modified: 2012-05-11
I have a table that contains is laid out as so:

employee id   superman    admin    management    etc etc

Where each column is a permission set.  The values are either 0 or 1.

What I've been doing is in each program is the following:

if ($Superman == 1 || $Admin == 1)
 //Run the program

  die ("Not allowed);

What I'm wondering is how can I implement this better so I can handle all permissions and programs in the database table rather than hardcoding it in the database.

The only piece that is confusing to me is that one user may belong to three or four different groups.
Question by:t3chguy
LVL 12

Expert Comment

by:Mohamed Abowarda
ID: 35421620
Create functions that query about member permission and return bool true or false, something like:

LVL 13

Expert Comment

ID: 35421753
You need more complicated DB.

Eg: tbl_users, tbl_groups, tbl_user_group

relation between users and groups defined by tbl_user_group

This way, you can manage your user permission on the fly.
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35422230
I think you need a little less complicated database. You can setup only one column with a single value which is related to a permissions
1 - normal user
2 - admin
3 - superadmin

Hardcoding it in the database is not entirely possible. Depending on the position on the page, you can check for only one value from the database.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 111

Expert Comment

by:Ray Paseur
ID: 35423815
Have a look at this article and the examples.

It implements a one-line protection scheme.  All you need to say is

access_control();  // PASSWORD-PROTECT THIS PAGE

Or in the alternative:

if (access_control(TRUE)) { /* CLIENT IS ALREADY LOGGED IN */ }

With a little creativity you might modify that design pattern to use some define() constants that are coordinated with columns in your user table. Then you could have a statement like this:


The idea would be that the access_control function would do more than simply test the session "uid" field - it would test the permissions, as well, depending on the parameters passed to access_control().

Does that make sense to you? ~Ray

Author Comment

ID: 35441380
Thank you for the suggestions so far.  I have about 1000 programs for an international company, so I'm a little nervous to hardcode anything in the programs dealing with permissions and whatnot in case they decide to add access to another group.  

What i had in mind was something like dsmile suggeted above:

Eg: tbl_users, tbl_groups, tbl_user_group

relation between users and groups defined by tbl_user_group

This way, you can manage your user permission on the fly.

The only piece that I'm missing is what happens if one user belongs to two or three different groups?

Can I just add them into the tbl_user_group more than once, one instance for each group?

Also the hidden agenda behind this is building a dynamic navigation menu as well -- > that shows only the links that each user group has access to.
LVL 111

Accepted Solution

Ray Paseur earned 2000 total points
ID: 35442538
Couple of thoughts come to mind.  The three-table idea inserts the "pivot" or "junction" information into the tbl_user_group.  This table has two columns - the key of the user and the key of the group.  As such it implements a many-to-many relationship between rows in tbl_users and rows in tbl_groups.  Users can be in multiple groups and groups can have many users.  And yes, you can manage your user permission on the fly.

That said, you can also manage your user permissions on the fly with a defining column or a few defining columns in the tbl_users.  

Not sure what your thinking is about the dynamic navigation menu, but if you have an interest in security, you need to know which scripts should be exposed to which clients, and the scripts themselves need to work or not work depending on the permission set for the client.  In other words, simply omitting a link to a script does not provide an acceptable security solution.  That's why some kind of mapping between users and scripts might also make sense.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post contains step-by-step instructions for setting up alerting in Percona Monitoring and Management (PMM) using Grafana.
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses
Course of the Month19 days, 1 hour left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question