PHP access control list for hiding links [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 8 years ago.

Improve this question

I need to make a system in PHP which will use several links on the homepage but not all user are allowed to see these depending on which group of user logs in:

1. Guests - may write something in the guestbook but may not alter them
2. Employees - may create guests and see their booking and alter the guestbook
3. Managers - they may have every link that's available.

But the links may not be scattered and must be contained to the homepage and must be hidden if you're not in the right group.

Can someone give an example of how something like this can be accomplished within PHP or send me in the right direction?

Answer 1

Give each user a number to identify what category they belong to. For example guests would be 1, employees would be 2 and managers would be 3. Then when they log in you store this inside a session.

To display a link for any given category you can do this. Just change the number for each category.

<?php if( $_SESSION[ 'user' ][ 'category' ] == 3 ) : ?>
    <a href="www.google.co.uk">Link for a manager</a>
<?php endif; ?>

Answer 2

What you are looking for is often refered to as AC (access control). One of the most popular is an RBAC (role based access control) because it allows you to group your users/accounts into groups and give those groups certain privileges.

Let's go through the design steps of a minimal setup:

Basically what you are saying is, that you have some sort of accounts already for your users (except Guest, because that is a not-logged-in-user) Now what the roles in RBA are, are basically groups that have or don't have certain privileges.

So that results in the following Relations:

• Zero to many Accounts belong to zero to many Roles (->group e.g. "Admin", "Manager", etc.)
• Zero to many Roles have zero to many privileges / rights (e.g. "Access the manager section" or "Update this record")

Now let's move on, what data for what part of that system you need to have in order to implement it

• Typically you have an ID on your account table for each account.
• Roles typically have an ID and a name.
• Privileges typically have at least a constant-like identifier (which should be the primary key, so that it's unique --- for example ACCESS_MANAGER - You can see why this is usefull in my code example below. It can be used to lookup ) and a name

That leads to the following tables:

Account(AccountID (PK), ...)
Account_Role(AccountID (PK, FK), RoleID (PK, FK))
Role(RoleID (PK), name)
Role_Privilege(RoleID (PK, FK), PrivilegeID (PK, FK));
Privilege(identify (PK), name)

Now you can manage roles and privileges these roles have. If you want to check, if the current user has a specific privilege you can ask your DB, for example.

if(
  $this
    ->getCurrentUser()  //would return a dummy guest user with no roles assigned if no user is logged in
    ->hasPrivilege('ACCESS_MANAGER')  //joins account via account_role to role to role_privilege and finally to privilege
) { /*display only links a manager would see*/ }

if($this->getCurrentUser()->hasPrivilege('ACCESS_ADMIN')) { /*display only links an admin would see*/ }

PS: The wiki articles provided are very theoretical. You might want to just google for queries like "php access control system" or similar to get you started with solutions others have come up with.

Answer 3

Assuming you have user roles set up already and some sort of class you can easily do this by:

    if($users->role($userid) == "some role") //can be int or string which ever way you set it up
    {
        echo "a href='somelink.php'> Click to access</a>";
    }