My First Access Levels Script — Rip it apart please

@ripcurlksmSep 03.2008

I have a simple login script that has access levels (admin, full access, limited access, etc.).

If you log in as the user “rocker” you get two rock bands. If you log in as “hippie” you two hiippie bands. If you login as “fullaccess” you get to see all bands.

Working demo of it is here:
~~[url]~~http://www.psylicyde.com/_old/bandauth/login.php[/url]

Download source files here (4 PHP files + SQL file):
~~[url]~~http://www.psylicyde.com/_old/bandauth/bandauth.zip[/url]

1) What I need help with is how to handle the access levels so that it is perhaps a global function? Please inspect my get_access function. How can it be improved and implemented better?

2) is it possible to put the user access level, username and user id into an array WITHIN the session variable so that I can call any of the three variables ($access, $username, $u_id) from any page?

3) The login script itself is weak, and simple, please focus on the best methods for granting access levels.

[code=php]function get_access($username,$u_id){ // get access level and act according to permissions

dbConnect(); $result = mysql_query(“select * from user where username=’$username'”);

while($row = mysql_fetch_assoc($result)){ $access = $row[‘access’];

if($access == 0){ /* * Admin access * */ echo “You are an admin.”;

} else if($access == 1){ /* * Full access – print all rows * */ echo “You have full access.”; $result = mysql_query(“SELECT * FROM band WHERE 1=1”);

echo “<ul>”; while($row = mysql_fetch_assoc($result)){ $company = $row[‘company’]; $description = $row[‘description’]; echo “<li>$company – $description</li>”; } echo “</ul>”;

} else if($access == 2){ /* * Limited Access – get permissions from permissions table, print rows they are allowed to see. * */ echo “You have limited access.”; $result = mysql_query(“SELECT b.company , b.description FROM user as u INNER JOIN permissions as p ON p.u_id = u.u_id INNER JOIN band as b ON b.b_id = p.b_id WHERE u.u_id=’$u_id'”);

echo “<ul>”; while($row = mysql_fetch_assoc($result)){ $company = $row[‘company’]; $description = $row[‘description’]; echo “<li>$company – $description</li>”; } echo “</ul>”;

} else if($access == 3){ /* * Registered user – no access, but allowed to log in. * */ echo “You are a registered user, but you have no access.”; } } } [/code]

Thanks and I hope this helps someone else too! I will repost the source code if I can get it tighter.

to post a comment

PHP

9 Comments(s) _↴

@SyCoSep 03.2008 — #I'm surprised you don't have 15 different ways suggested to do this already!

I think the way you're doing this is definitely on the right track. I would suggest the get_access () function only returns the access level number. Once you have that access level available to your script you can show the appropriate tools through the page (like edit buttons or admin stats etc). You can pass that into other functions and all from a single look up. So get_access($username) would return the access level and show_bands($access_level) would show the band based on privilege.

I'm guessing you don't want a full critique on the content of the function :p

@ripcurlksmauthorSep 03.2008 — #ah i see ... makes sense...

Ill take any critique on the content of the function too!

@NogDogSep 03.2008 — #My initial thought here is that this could probably be merged into the login process, then the access info would be saved in the $_SESSION data along with whatever other user/login data you save there. (I am, of course, assuming you are using a sessions-based login mechansim.)

Therefore it would hopefully only require one query (with applicable JOINs) during the login process to get all the access data as well. Then any time you need to check a user's access level for a given page or section of a page, you would just check the existence and value of the designated $_SESSION array element.

@NightcatSep 03.2008 — #Start a session on you login page

[code=php]session_start();[/code]

Set up a session variable

[code=php]$_SESSION['access_level'];[/code]

Then assign a value you get from the get_access () function

[code=php]$_SESSION['access_level']=get_access ();[/code]

Then you can use this varriable as a check in every page

That's the basics, I'm sure you'll be able to work out the details yourself

@NightcatSep 03.2008 — #My initial thought here is that this could probably be merged into the login process, then the access info would be saved in the $_SESSION data along with whatever other user/login data you save there. (I am, of course, assuming you are using a sessions-based login mechansim.)

Therefore it would hopefully only require one query (with applicable JOINs) during the login process to get all the access data as well. Then any time you need to check a user's access level for a given page or section of a page, you would just check the existence and value of the designated $_SESSION array element.[/QUOTE]

I guess we were thinking along the same lines ?

@SyCoSep 04.2008 — #In one site I work on (a massive online university program) the security requirements run at about 50 different levels so rather than store all that in the SESSION I only carry the userid and a secret key made up from other unique elements. Both are stored at log in in the session. The key makes SESSION hijacking that much harder and there's less resource requirements per user. The trade off is the extra look up per page. Originally it was all stored in the session and as the system grew so did the security requirements eventually to the point where rethink was required.

In another much smaller site I built years ago (my very first and it badly needs a rewrite!!) there is just user and admin levels and that is stored in the SESSION. The security requirements are pretty low and the user base is in the hundreds not the thousands, so it does the job.

I suppose what I'm saying in a very long winded way is the system should be designed with future growth in mind.

@SyCoSep 04.2008 — #Ill take any critique on the content of the function too![/QUOTE]

Best to decide on your access levels, do the code rewrite and start a new thread for the function.

This is what I noticed and thought you must still be in the early stages of writing the function
[CODE]SELECT * FROM band WHERE 1=1[/CODE]
I'm guessing 1 is going to always equal 1 in this case. ?

@ripcurlksmauthorSep 04.2008 — #some thoughts as I am working on this, along with your great comments...

My main concern right now is two levels - (1) full access and (2) limited access.

Full access is easy, select all bands. (i read along the way that it is good practice to always have a WHERE argument in a statement, so 1=1 is always true. advise if this is unneeded).

[B]Question 1A[/B]

Limited access, requires a query on the permissions table. By storing the access level in the session, thats great but I still need to query the permissions table every time. What is the most efficient way to store this query to remember on each page?

[B]Question 1B[/B]

Can I have two session variables or muliple variables in a session?

$_SESSION['access_level']=get_access ();

$_SESSION['valid_user']=$username;

$_SESSION['permissions']=get_bands();

[B]Question 1C[/B]

In my project, most users will have full access, but some will have permissions that are up to 300 band ID's... is this too much to store in a session? Is it possible

[B]Question 2[/B]

Another use of the "limited access user" -- say the "rocker" user. They have permission to view the rock bands. But lets say I also have a search feature, and they search for a word that returns results that are both rock and hippie. They should be able to see that we have that band, but for example they cant listen to it. Like this:

Your search results for "highway"

1) Highway To Hell - AC/DC (click to listen)

2) Life Is A Highway - Tom Cochrane - (we have it, but you dont have permission!)[/QUOTE]

Can/should I query their permissions on login and store it in the session to use on any page or search result?

I imagine the search would be - SELECT * bands

But when I print the bands, there would be a function to check the permissions table (or a stored value from a session array?) so it knows to print either "listen" or "you do not have permission to listen". Users must know the band is there, but access is restricted for them.

[B]Question 3[/B]
show_bands($access_level)[/QUOTE]
Politely, this seems like its too open, because their access level is only a first step. Knowing that they are access level 2 means a limited user.. there is still another step to query the database.

I am seeing something like this:

[code=php]get_access_level($username) { 
 //returns 1, 2 or 3
 }
 
 get_bands($username, $get_access($username)){
 if($access == 1){
 // select * bands
 } else if($access == 2){
 // select * bands where permissions are applied
 } else {
 // you do not have access
 }
 }[/code]

You are intelligent and experienced in this matter, what am i missing? ?

Thanks for any input you can give or examples for sessions..

@ripcurlksmauthorSep 12.2008 — #bump

EDIT: Also, what if on login, I query and store all band_ids into an array in the session? Is this bad practice? It seems like if I get a permissions list that was maintained thoughout their session, I can control what they see on any page from just one query.. for the most part

Also in #PHP _↴

autoincrement username registration PHP Read Excel static component set up as server side include

Success!

Help @ripcurlksm spread the word by sharing this article on Twitter...

Tweet This

My First Access Levels Script — Rip it apart please

9 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

My First Access Levels Script — Rip it apart please

9 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

9 Comments(s) _↴

Also in #PHP _↴