• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 190
  • Last Modified:

PHP/MySQL Permission Schema advice

I have a table that contains is laid out as so:

employee id   superman    admin    management    etc etc

Where each column is a permission set.  The values are either 0 or 1.

What I've been doing is in each program is the following:

if ($Superman == 1 || $Admin == 1)
  {
 //Run the program
  }

else
  {
  die ("Not allowed);
  }

What I'm wondering is how can I implement this better so I can handle all permissions and programs in the database table rather than hardcoding it in the database.

The only piece that is confusing to me is that one user may belong to three or four different groups.
0
t3chguy
Asked:
t3chguy
1 Solution
 
Mohamed AbowardaSoftware EngineerCommented:
Create functions that query about member permission and return bool true or false, something like:

isAdmin($id);
isSuperman($id);
0
 
dsmileCommented:
You need more complicated DB.

Eg: tbl_users, tbl_groups, tbl_user_group

relation between users and groups defined by tbl_user_group

This way, you can manage your user permission on the fly.
0
 
Lukasz ChmielewskiCommented:
I think you need a little less complicated database. You can setup only one column with a single value which is related to a permissions
1 - normal user
2 - admin
3 - superadmin
etc.

Hardcoding it in the database is not entirely possible. Depending on the position on the page, you can check for only one value from the database.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Ray PaseurCommented:
Have a look at this article and the examples.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

It implements a one-line protection scheme.  All you need to say is

access_control();  // PASSWORD-PROTECT THIS PAGE

Or in the alternative:

if (access_control(TRUE)) { /* CLIENT IS ALREADY LOGGED IN */ }

With a little creativity you might modify that design pattern to use some define() constants that are coordinated with columns in your user table. Then you could have a statement like this:

access_control(USER_ADMIN);

The idea would be that the access_control function would do more than simply test the session "uid" field - it would test the permissions, as well, depending on the parameters passed to access_control().

Does that make sense to you? ~Ray
0
 
t3chguyAuthor Commented:
Thank you for the suggestions so far.  I have about 1000 programs for an international company, so I'm a little nervous to hardcode anything in the programs dealing with permissions and whatnot in case they decide to add access to another group.  

What i had in mind was something like dsmile suggeted above:

Eg: tbl_users, tbl_groups, tbl_user_group

relation between users and groups defined by tbl_user_group

This way, you can manage your user permission on the fly.

The only piece that I'm missing is what happens if one user belongs to two or three different groups?

Can I just add them into the tbl_user_group more than once, one instance for each group?

Also the hidden agenda behind this is building a dynamic navigation menu as well -- > that shows only the links that each user group has access to.
0
 
Ray PaseurCommented:
Couple of thoughts come to mind.  The three-table idea inserts the "pivot" or "junction" information into the tbl_user_group.  This table has two columns - the key of the user and the key of the group.  As such it implements a many-to-many relationship between rows in tbl_users and rows in tbl_groups.  Users can be in multiple groups and groups can have many users.  And yes, you can manage your user permission on the fly.

That said, you can also manage your user permissions on the fly with a defining column or a few defining columns in the tbl_users.  

Not sure what your thinking is about the dynamic navigation menu, but if you have an interest in security, you need to know which scripts should be exposed to which clients, and the scripts themselves need to work or not work depending on the permission set for the client.  In other words, simply omitting a link to a script does not provide an acceptable security solution.  That's why some kind of mapping between users and scripts might also make sense.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now