#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Maine
    Posts
    18
    Rep Power
    0

    Secure Login with User Levels for variable access


    Hello All,

    I'm building a CMS where an admin sets up a user, then sends the user a link so that they can log in and add the majority of the data.

    With this in mind, I have 2 types of users: Admin, Normal

    My first resource was how to build a secure login:
    http://forums.devshed.com/php-faqs-a...ng-891201.html

    My next step was how to build the db efficiently. I finally decided (with help from r937) to place all of the submitted data into a single db, but to have the user table for admins and normal users be separate. My thought on this was that the users need to authenticate before they can even touch the data.

    From the link above (Secure login), I want to give admins the ability to view any account that's created with the option to build users (normal users will not have creation ability). The users themselves can only access their account.

    I'm going to use a foreign key to point the data table (acct_ref - ex: 123) to the user table (acct - ex: 123). In the user table, I'll be adding 'acct' and admins will set what account the user is allowed to get details for.

    My question is, how would I make the session differentiate between an admin and a normal user? Would this be more in the session itself, or do I need to add more of an if, then, else statement?

    Right now I can differentiate links using the following:
    Code:
    if(empty($_SESSION['user'])) {
      echo '<a href="login.php">Login</a>';
      } else {
      echo '<a href="memberlist.php">Member List</a> | <a href="register.php">Register New User</a> | <a href="edit_account.php">Edit Account</a> | <a href="logout.php">Logout</a>';
      };
    But I'm sure it's much different to say:
    If user is admin
    * acct can have any value
    else if user is normal
    * search details for acct if equals 123



    Thanks for sharpening my mind in advance.
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Maine
    Posts
    18
    Rep Power
    0

    DB Layout


    Just for reference, here's what the 2 tables look like as well:

    User Table (users)

    Code:
    CREATE TABLE `users` (
      `id` int(11) NOT NULL AUTO_INCREMENT,
      `username` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
      `password` char(64) COLLATE utf8_unicode_ci NOT NULL,
      `name` char(64) COLLATE utf8_unicode_ci NOT NULL,
      `salt` char(16) COLLATE utf8_unicode_ci NOT NULL,
      `email` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
      `userlvl` char(1) COLLATE utf8_unicode_ci NOT NULL,
      `acct` int(12) COLLATE utf8_unicode_ci NOT NULL,
      PRIMARY KEY (`acct`),
      UNIQUE KEY `id` (`id`),
      UNIQUE KEY `username` (`username`),
      UNIQUE KEY `email` (`email`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=1;
    Data Table

    Code:
    CREATE TABLE `data` (
      `acct_ref` int(11) NOT NULL,
      `data_type` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
      `sub_dtype_1` char(64) COLLATE utf8_unicode_ci NOT NULL,
      `sub_dtype_2` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
      `sync_ref` int(3) COLLATE utf8_unicode_ci NOT NULL,
      `options` varchar(4) COLLATE utf8_unicode_ci NOT NULL,
      `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
      PRIMARY KEY (`acct_ref`),
      FOREIGN KEY (`acct_ref`) REFERENCES users(`acct`),
      INDEX (`value`),
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=1;
    (I may have to remove the primary key reference. Reviewing that one.)
    Last edited by SiLeNCeD; December 3rd, 2012 at 11:09 AM. Reason: added unique to id
  4. #3
  5. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,959
    Rep Power
    9397
    Putting some sort of "this user is an admin" flag in the session is a fairly standard solution. Go for it.
    PHP Code:
    if (isset($_SESSION["user"]) && !empty($_SESSION["isAdmin"])) {
        
    // admin
    } else if (isset($_SESSION["user"])) {
        
    // normal user
    } else {
        
    // not logged in

    Comments on this post

    • SiLeNCeD agrees
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Maine
    Posts
    18
    Rep Power
    0
    Originally Posted by requinix
    Putting some sort of "this user is an admin" flag in the session is a fairly standard solution. Go for it.
    PHP Code:
    if (isset($_SESSION["user"]) && !empty($_SESSION["isAdmin"])) {
        
    // admin
    } else if (isset($_SESSION["user"])) {
        
    // normal user
    } else {
        
    // not logged in

    Awesome. Thanks. I thought it may be something like that but I wanted to make sure. I will implement this and let you guys know if I have any more questions.

    Thanks!

IMN logo majestic logo threadwatch logo seochat tools logo