|
|
Posted by Gordon Burditt on 03/06/06 17:55
>I'm building a very simple content management site that tracks
>"tasks."
>
>The options available are:
> 1. Add Task
> 2. Edit Task
> 3. View Task
> 4. Print Task
>
>I need to restrict some users to only View and Print and I'm trying to
>find a way to tell the page not to load the menu options (the text)
>for those not having access to the Add and Edit functions.
For an application like this it is very important that you check
if the user is authorized when they try to EXECUTE that function,
not just when they bring up the menu. Hint: users are added and
deleted, and they sometimes change jobs. Browsers cache pages and
people can manually type in links.
>IOW, they would only see View and Print.
Presumably, it is also important that they can only DO View and
Print.
>I have three basic users:
> 1. System Admin
> 2. Subject Matter Expert (SME)
> 3. Viewers
>
>Obviously the System Admin and SME will have full access so it's the
>Viewers that are to have access to only View and Print.
Do you already have a way of telling which type of user is logged
in? I recommend using sessions to store that info after getting
it from the login page.
>I have a users table but haven't set it up for the distinction. What
>I was thinking was creating a field labeled users_group and assign a
>numeric value for each user using the numbering system above.
Typically this sort of thing is done by an "access level" number.
It may be attached to individual users or groups of users. Each
function has an access level required to use it. This isn't suitable
for every setup (e.g. A needs privileges B doesn't have, and B needs
privileges A doesn't have), but it fits many situations.
>I have my page load the menu options:
>
><a href="home.php" class="navlink">Home</a><br />
><a href="view_tasks.php" class="navlink">View Tasks</a><br />
><a href="edit_task.php" class="navlink">Edit Task</a><br />
><a href="add_task.php" class="navlink">Add Task</a><br />
Then you'd typically do something like this:
... fetch $access_level from database based on user here ...
if ($access_level >= 5) {
echo '<a href="edit_task.php" class="navlink">Edit Task</a><br />';
echo '<a href="add_task.php" class="navlink">Add Task</a><br />';
}
>
>into here...
>
><BODY>
>
><table width="90%" border="1" cellspacing="10" cellpadding="0"
>align="center">
>
> <tr><td colspan="2"><h1 id="mainhead">ICAO Tasks —
>WAFS</h1></td></tr>
>
><tr>
><td align= "center" valign="top" nowrap="nowrap" width="10%">
> Menu<br />
> <?php include ('./includes/menu.html'); ?>
></td>
>
><td valign="top" class="content">
>
>
>How can I tell the system not to load the last two lines unless they
>are a System Admin or SME?
Use conditional execution, probably within the included file.
>I read a chapter on Cookies/Sessions...but it wasn't that helpful for
>this case.
Yes, it can be. You can look up the access level at login and
set in a session value. Later you can look at $_SESSION['access_level']
and allow or not allow certain actions. Session variables are
not stored on the browser but cookies are (and can be fiddled with).
>Can I setcookie('user_group', '3') and use that somehow???
If you don't have a way to tell what user is logged in, work
on that first. Cookies are stored on the browser, and therefore
they are forgable. I recommend that you look at what user is
looked in, and check what access that user has *every* *single*
*page* where it matters. Don't forget that it's more important
to not let low-level users DO an update than it is to not let
low-level users see a menu item for an update.
Gordon L. Burditt
Navigation:
[Reply to this message]
|