/    Sign up×
Community /Pin to ProfileBookmark

Good Morning Users,

I have a range of methods over various classes which depend on a user having permissions.

I’m thinking of doing the following

[code]
$myObj->thisMethod($User, $Vars);
[/code]

Then within the method, check the the user class to see if the user passed in has permissions for the method being called.

[code]
public function thisMethod($User, $Vars){
if ($User->checkPermission(2) !== true){
return ‘You do not have permission to do this’;
exit();
}
}
[/code]

Where the number 2 is unique to this method.

My question or concern is I can’t see 100’s of different permission levels. I’ll need to enable/disable individual users from each of them.

Each function/permission will be stored in a DB which is where the unique ID is coming from.

Is this as simple as entering the function into my DB getting the ID and coding it into each function it applies to.

Very manual.

Any centralized or automatic ways of doing this? – or any general improvements are welcome.

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@singaporeDudeauthorNov 13.2021 — Another scenario would be getting all the methods from my classes and moving approved 'methods' to an approved list.

Not sure how i'd seperate admin vs public function though.

For example, in a news class. getNews would be public use, addNews would be restricted admin so this approach might not work although it seems like a good approach in theory.
Copy linkTweet thisAlerts:
@NogDogNov 13.2021 — > @singaporeDude#1639387 Any centralized or automatic ways of doing this?

Typically that sort of thing -- what permissions a user has and/or what type of user they are -- is stored in $_SESSION. Since $_SESSION is a PHP "super-global", it's available anywhere*, including inside of class methods. Then when a user logs in, you can grab whatever permission-related things for them are in the DB at the time you are validating the login, and then store them in the $_SESSION array.

_____________________

* As long as you've correctly used session_start() on each page where you need it
Copy linkTweet thisAlerts:
@singaporeDudeauthorNov 14.2021 — @NogDog#1639392

Yes thank you. I wasn't sure if storing permissions in a session was as secure as setting them within the object itself.

My second or main part of the problem is how to line up individual permissions against each block of code.

For example, If I 30 different user functions, add edit delete over 10 different objects how can I keep this code simple and easy to manage.

I was going to add a table for user functions which would have 'Editing Pets' with the ID of 33 for example.

I can then have a joining table where User 972 as permission 33 available to them.

I can set this into Sessions as you say but do I have to manually add in any functions which apply to editing pets a check and hard code in function 33?

This is where code can become messy.

Thank you and I hope this makes sense.
Copy linkTweet thisAlerts:
@NogDogNov 14.2021 — How many different types of permissions are we talking about here? Typically I'd imagine something in the range of 3 or 4, but it sort of sounds like you're talking about many more?

I've normally seen things where you have maybe an "admin" role that can basically do anything, maybe an "editor" role who can do a subset of those things, a "writer" role who can do a subset of _those_ things, and a "normal" role who maybe just has read access. In those cases you could just assign each role an ascending number from least permissions to most. Then in any applicable code, you could just check that that user's permission level is >= the required level.

But if you're talking about some complicated "matrix" of permissions, I'm not entirely sure what I'd do. I would, however, try to avoid just depending on numbers at that point, but instead by meaningful names. E.g., maybe you have a sub-array in $_SESSION with that user's permissions:
[code=php]
$_SESSION['permissions'] = [
1 => 'this',
3 => 'that',
22 => 'another'
];
[/code]

Then if in some method the user needs to have "that" permission, you could just do:
[code=php]
if(in_array('that', $_SESSION['permissions'])) {
// good to go
}
[/code]

And then clean things up a bit maybe by putting that into a method or global function?
[code=php]
function has_permission($name) {
return in_array($name, $_SESSION['permissions']);
}
[/code]

Or...rethink the need for all these different levels/types of permissions? ;)
Copy linkTweet thisAlerts:
@singaporeDudeauthorNov 14.2021 — Thank you.

What if I had a script which gave me a full list of all public functions (not sure if that's possible).

When giving user access I tick which ones I want them to access to. They get saved in a database by their name.

When a user logs in, they names are set in a session like you suggest. Then within each function which will be restricted I have a simple if statement checking this function is in the session array?

Would this work?
Copy linkTweet thisAlerts:
@singaporeDudeauthorNov 14.2021 — So a little more research suggest the above will work using 'get_class_methods' but that’ll only block the methods from being used.

It won’t stop a page from being opened, for example when a user visits editNews.php I need to check if they’re allowed to do this and give an error.

Mu suggestion works if they bypass this and try somehow to call my function.

Although I could do the same but use page file names and check them on every page call
Copy linkTweet thisAlerts:
@NogDogNov 14.2021 — This all sounds needlessly complex to me, but maybe you have a particular business case that needs such a high granularity of permissions? Who is going to assign all these different permissions to each user, or how are they programmatically determined? How would you _maintain_ all of them (both users and permissions) as they increase and change?

As far as page access goes, if you're using some sort of MVC framework approach, that could be handled in the controller. If page X is requested by user Y, it could initially do some check (either via DB query or session data) to determine if the user has access to it. That would mean each endpoint would need some sort of configuration attribute _somewhere_ that defines what access is needed. But again, this turns into a potential maintenance nightmare if you are going to essentially have an unlimited set of permission types/targets/whatever.
×

Success!

Help @singaporeDude spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 3.29,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,

tipper: Anonymous,
tipped: article
amount: 10 SATS,
)...