implementing priveleges

i'm just curious how other people implement priveleges in their code. do you do a simple conditional, such as

or what? the above is how i've always done it, but the code really starts to get sloppy after building up a lot of links like that, especially with more than one conditional per link.. does anyone have a more, managable way of going about it?

The most I have had is 4 levels of privs (guest 1, user 3, admin 7, super 9) - and I just did a switch. something like:

And obviously the error and login pages have to be able to handle the passing of error messages.

Hmm - now that I think about it - should have done the access as an int. Then i could have done a simple coditional to see if some areas were displayed (Ex: if $access>=2) Then I wouldn't of had all those &&/|| checks... hmm. need to remember that.

speaking of priveleges, does anyone know of any good tutorials on the subject? i've searched everywhere and found only one which is pretty good:
http://www.sitepoint.com/article/anthology-2-1-access-control

i'm suprised i can't find any others... might be a good one for someone on codewalkers (not me) to write. ;)

I could write it i suppose (was in the process of writing a ssh tutorial, how to use it fairly securely in php. But i kinda ran out of energy with it).

I generally create a function like the one described below (havent got an example to hand)



Thats how i do it and then just drop that in either static or dynamic pages (at the top) so they are either allowed to view the page or kicked back to the login page with an error.

+1 for you Andrew

Using directly $_SESSION for handling authentication is a security issue and should be avoided.In my practice the best way to handle permissions is to create and serialize a proper class and pass it through different pages. This way you can keep an eye on all events and to garantee stable authentication handling.
Also for permissions I would suggest an idea with a bit of code. The code is just for example.

<?
/**
@abstract :
Bit comparison base permissions class
@author : Angel Kostadinov(angel@support-24.com)
*/
class permissions
{
private $previleges;
public function __construct( $previleges = 0 )
{
$this->previleges = intval($previleges);
}
public function haveAccess($access = 0)
{
if ($access % 2) return false; // Only powers of 2 are allowed
if (intval($this->previleges) & intval($access)) return true;
else return false;
}
}
/**
@abstract : Basic Class User
*/
class user
{
public $access;
public function __construct(permissions $access)
{
if ($access instanceof permissions )
$this->access = $access;
else $this->access = new permissions(0); // Default no permissions to anywhere
}
}

/**
@example :
Creating user with permission to access pages
2,4,8 2+4+8 = 14
pages like 1,16,32 will not be accessible by that user
*/
$user = new user(new permissions(14));
if ($user->access->haveAccess(2)) print 'yes';
else print 'no';

would you care to elaborate on that statement?

Ya, I was wondering the same thing... There was an article in the in secure online magazine about sessions, and injecting session ID's and such, but I don't really know if thats any sort of relation.... And I guess that also makes me wonder how you serialize the class and pass it from page to page without sessions...

I also use an auther Class to check the users group level.

usually like so:


Usually have two tables, one with the access levels, and the other with the actual user's. This way everytime they hit up a new page they have to:
a) be currently authed
b) have proper access
c) their user account isnt suspended/deactivated midway through their session.

also allows for a 'waterfall' type of affect, so that users with access levels higher or lower could have different options or less.

The upside to this is that the $_SESSION information is validated everytime, so spoofing session data becomes more difficult. add in some extra security checks for validating that the information is in propper formating and to avoid sql injection attacks, and i'd call it a pretty sound security system (as far as online security goes... which is nill )

The method I use is something close to the tutorial u posted. Having all the links and access levels within the code tends to get really messy and its difficult to modify the code for each new application I start to write. I use MySQL tables to sort out the issues and the code uses sessions to identify the user.

I use six tables to sort this out. I won't go indetail. Will try to give u the basic idea.

usmgt_application
Stores the Applications that uses this database. Can have multiple applications using the same auth system.

usmgt_activity
Stores all the activities, simply the links. Here there is a field to identify which application the activity belongs to.

usmgt_user
Stores all the username, password etc..

usmgt_group
Stores all the group names

usmgt_usergroup
User <-> Group relationship table

usmgt_groupactivity
Group <-> Activity relationship table

So this is what the code does.
I have a login script that authenticates the user by querying the usmgt_user table. Upon authentication the code checks which groups he belongs to and the it grabs the activities that the user is allowed to access. So I generate the links using the allowed activity list. So when they click a link I pass the activity id via GET and do a validation whether that id is an allowed activity to make sure that the user doesn't play around with the GET variable. If its an allowed activity I simply include the php file which will be in the name of 'activity_<id goes here>' stored in a seperate directory called 'includes'.

This works really well for me coz if I want to add a new activity I don't have to mess with the code. Simply add the activity to the usmgt_activity table and which application it belongs to. Add the groups that will be allowed to access this activity in the usmgt_groupactivity table. Then I have to save the php script for this activity in the includes directory with a prefix 'activity' folowed by an underscore and the activity id. This way in these activity scripts I don't need to write auth checks on top. Maintenance wise really easy.

The best part is it allows multiple users as well. Adding a user is simply easy. Add the user to the usmgt_user table and add the groups he belongs to on the usmgt_usergroup. I guess that gives a basic idea.


If you guys feel that this method is worth writing a tutorial let me know. I'm not really a good writer though I feel its worth having a go at it. There might be better methods than this but it works for me really efficiently.


Really haven't looked into this matter. I'm also bit confused after hearing this. More information on this will be great..

if you wanna read more about session security, the magazine php | architect has a good right up on it in their secruity corner. It's volume 5, issue 5. Talks about accessing _SESSION data directly etc etc. Read particually the last section titled 'Invisible Session Theft'