Page access to certain ranks from mysql

Gweilox · June 9, 2020, 7:25pm

Hi guys so i want to make page acces to certain ranks.

So im thinking for something like this

rank1 -> home.php, admins.php
rank2 -> home.php
rank3 -> home.php
rank4 -> home.php

So the ranks are in a database with the page names. So now when someone logs in they will get a certain rank. So now i need to make a function that will check if the rank has access to this page.

$curPageName = substr($_SERVER[“SCRIPT_NAME”],strrpos($_SERVER[“SCRIPT_NAME”],"/")+1);

This will detect the current page that the logged in person is at now. But now how do i check if the $_SESSION[‘rank’]; (rank1) has the access to get in page admins.php, and obviously to make $_SESSION[‘rank’];(rank2) redirect from the page admins.php

Could someone point me in the right direction? Do i select the ranks and page names from database then put it into a array?

Thanks.

skawid · June 10, 2020, 10:45am

This is quite a meaty problem, so I’ve given an overview here and we’ll help if you get stuck anywhere.

This is a common problem in application design; the common terminology for “ranks” is roles, and each role is given a set of permissions. So in your example rank 1 would have view_home_page and use_admin_page, and the other ranks would just have view_home_page. This sounds complicated, but is the best way to keep things organised as you add more sections or want more control.

In your database your user table has a new column role_id which links to a new table roles. The role table stores role names and ids. You also have a new table permission which stores your permission names and ids. Finally you have a link table role_permission to attach permissions to roles by storing a role id next to a permission id.

You write a new function requirePermission($permission_name) that checks if the logged in user has the passed permission by cross referencing the user’s role and the permissions attached to it. If the user doesn’t have the permission you either redirect to the home page, or just return an error.

Once you have all this in place, you can use the new function at the top of your admin page:

require('use_admin_page');

and only logged in users with the correct permission will be able to view the page.

If you want to find out more on your own, “access control” is another common name for this kind of system.

Gweilox · June 10, 2020, 5:16pm

So i did something like this

function checkAdmin($website){	
$curPageName = substr($_SERVER["SCRIPT_NAME"],strrpos($_SERVER["SCRIPT_NAME"],"/")+1);

$getPagePerm = $website->prepare('SELECT * FROM admin_permission WHERE site = ?');
$getPagePerm->bind_param('s', $curPageName);
$getPagePerm->execute();
$getPagePermR = $getPagePerm->get_result();
$getPagePermNow = $getPagePermR->fetch_assoc();
$getPagePerm->close();

if($getPagePermNow[$_SESSION['rank']] == 'yes') {
	true;
}elseif($getPagePermNow[$_SESSION['rank']] == 'no') {
	header("Location: 401.html");
}

}

So i basically just have to add a name of the page into the database and ‘yes’ or ‘no’ for those ranks in the same database.

It works fine at the moment. Do you think this is a good solution?

skawid · June 12, 2020, 9:52am

If it works, great! It’s not going to grow very well as your system gets larger; think about how you’d have to change your database every time you add a new page to your app.