How do you implement users and group security in a web application?

Question

using php if that matters.

If you create a website that has users and groups. Where do you put this in the web application? Do you just put a function at the top of every page (pseudo):

if someone is in a group then they can see this page or if someone is in this group they can see this button

That sure seems wrong. I wouldn't want to edit the web app code just to change who can see what group-wise. I'm not sure what I should do or how to implement something like this.

Thanks.

Answer 1

In MySQL, I always create these 4 tables: users, user_groups, permissions and user_groups_permissions which are linked using Foreign Keys.

So, user A can be in a user group B, which this user group permissions are in user_groups_permissions.

Now, I just do a INNER JOIN on this 4 tables (or better, three: users, user_groups_permissions and permissions), the results are permissions that user have. all we need is selecting permissions.key by INNER JOIN.

Now, before processing request, I need to check that Client::has_permissin('send_post') returns true or not. And better, also on top of each user-group-related function.

Note: Client is a class that loads all user permissions just one time, before processing request, and then uses that permissions for whole request-life-time, without needing to access to database several times in that request. Use static methods and $permissions property for this class so you never need to send it's object over your applications classes/methods/functions :)

Answer 2

You can have a utility function which takes user id and group code and return true or false. You can use that utility function as pseudo at the top of each page and the same function also be used to hide or show sections in your page.

If your web application is in MVC, embed user authorization logic in your controller.