Check user permission in php

Question

How can I create a PHP function or class that checks if a user who is a half-admin (set from a MySQL database) has some rights such as creating a new page, editing, or deleting? I need a function that checks the user permissions and then display the code like this:

  if ($he_can_create_page){
  //continue the script.....
  }else{
  //don`t continue
   }

In present I use sessions like this:

    If($_SESSION['user_type']=='Admin'||$_SESSION['user_type']=='premium'){
 //do stuff
 }else if()......... {
  // ..............
   }

but they become too many if statements, and I want a cleaner code :)

Answer 1

interface User {

    public function canCreatePage();
    public function canDeletePage();
    public function canEditPage();
    ....
}

class Admin implements User {

    public function canCreatePage(){
        return true;
    }

    public function canEditPage(){
        return true;
    }
    ...
}

class Editor implements User {

     public function canCreatePage() {
          return false;
     }

     public function canEditPage(){
        return true;
     }

     ...

}

then from what you get in the data base

if ($row['user_type'] == 'Admin') {
   $user = new Admin();
} else if $row['user_type'] == 'Editor') {
   $user = new Editor();
}  ....

in all your pages :

if ($user->canCreatePage()){
  //continue the script.....
}else{
  //don`t continue
}

If you want to store your user in session the first time you get it from the dataBase

$_SESSION['user'] = serialize($user);

in the next page

$user = unserialize($_SESSION['user']);

Or you can also just store the id of the user in session and get it back from de DB on every page.

Answer 2

The answer is to use an access control system. There are many different types. The most used (in web development) are ACL (Access control list) and RBAC (Role based access control). The rules can be filled from database or hardcoded.

To give you an idea of how they work look at the examples from Zend Framework: ACL and RBAC. In Zend Framework the ACL is not very different from a RBAC because it also has roles. But normally an ACL is user based and not role based. If you like you can integrate the ACL/RBAC from Zend or other frameworks into your own project.

Read about how yii do it: yii RBAC

Answer 3

Add columns in your users table like:

| canEdit | canDelete | canCreate |

with flags 1/0. 1 for true, 0 for false.

select the fields and make checks i.e.:

if($row['canEdit'] = 1) {
//continue (return true)
}
else {
//stop (return false)
}

You can make it a function with params, so you will give the param to the function i.e. $canDelete (which is your $row data) and it checks only that permission

function userPermissions($type)
 if($type=1) {
   return true;
 }
 else {
   return false;
 }


$canCreate = $row['canCreate'];

if(userPermissions($canCreate)) { ...

Answer 4

Create a generic function an put it in a file which is common for all files something like this

 function pageCreatePermission() {
     if($_SESSION['user_type']=='Admin'||$_SESSION['user_type']=='premium'){

          return true;

     } else { 
          return false;
}

then use this function something like this in your file

if (pageCreatePermission()) {
     //do your stuff
 } else {
     //show error you want
 }