Hi all.. im now building a web-system using php..and i have 4 groups of users
1- G1
2- G2
3- G3
4- G4

in my db, those are in my table called "u_userGroup" and for my entity is "groupCode".

so, these 4 groups have different privileges to each page..
G1 can access to all page, G2 and G3 can add,view,list,edit, G4 only can add and view...
i know that i have to do the "if else" thing at the top of each page, but im not sure how to do it...
can someone help me..

my advice to you is at your db you should have allocated permission column like
firstname | access
maryjoye | 1-> admin
then as the users login put the access column to a $_SESSION so you could use it on a session to easy identify what is the permission of the user who is online
then
in every restriction function you have you could do an if else condition,
depends on how you design you page...
for example a noramal that is not an admin will try to access a page with the code
below

    if($_SESSION['access']!=1){
        echo 'Oops you dont have a permission on this page';
        exit;
    }

he cant access the page if his the admin=1 then a normal user=any_number_not_one

Tis is how I did it and it proved to be a good concept. I have defined access levels which were integers. The higher the level (value) the higher the privileges.
Between each level I had a space for new levels if I need them later. The access level is saved in the user database for each user.

access_level | description
--------------------------
         220 | application admin (developes only)
         200 | contents admin
         180 | system admin
         100 | regular user (edit, view)
          60 | viewer (view)
           0 | no access

As you can see I use unsigned integer for access level so it does not take much space in db. I have plenty of room below and above the range and also between access levels which proved good tactics since I had to add levels already. The access level gets stored in the session during login so all I have to do is to compare it with required level on the beginning of each page:

// example for checking a system admin's access level
if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] < 180) {
    header('location: logout.php');
}

In the above example only system admin and higher levels can access the page.

I also define constants to make the code more readable:

define('ACCESS_LVL_APPADMIN', 220);
define('ACCESS_LVL_CONTADMIN', 200);
define('ACCESS_LVL_SYSADMIN', 180);
define('ACCESS_LVL_REGUSER', 100);
define('ACCESS_LVL_VIEWER', 60);
define('ACCESS_LVL_NOACCESS', 0);

// example for checking a system admin's access level
if(!isset($_SESSION['access_level']) || 
   $_SESSION['access_level'] < ACCESS_LVL_SYSADMIN) {
    header('location: logout.php');
}
Member Avatar for diafol

I'd use a bitwise operator and give groups this sort of value:

Group1 - 1
Group2 - 2
Group3 - 4
Group4 - 8
Group5 - 16
(etc)

Then an user can be members of more than one group:

User1 - 12 (memner of group 3 and 4)

meaning that they now have security clearance for both those groups.

You can check for rights:

define('GROUP1', 1);
define('GROUP2', 2);
define('GROUP3', 4);

if($userlevel & GROUP3){
   //this will allow anybody with userlevels 4,5,6,7,12... access to this section of code  
}

ok.. i wanna try @broj1 method first.. and i have a question,for the access_level...
i have a table called u_userGroup like this

groupCode  |  groupDesc  |  groupStatus 
----------------------------------------
G1      |   Admin       |   active
G2      |   KSBP        |   active
G3      |   KS          |   active
G4      |   reg_user    |   active

then, thats mean i have to create an entity for access_level right..?
so it will be like this:

groupode | access_level | groupDesc
--------------------------
G1  |    220 | Admin
G2  |    200 | KSBP
G3  |    180 | KS
G4  |    100 | reg_user

then, i need to create a php file with this in it.?

define('ACCESS_LVL_APPADMIN', 220);
define('ACCESS_LVL_CONTADMIN', 200);
define('ACCESS_LVL_SYSADMIN', 180);
define('ACCESS_LVL_REGUSER', 100);
define('ACCESS_LVL_VIEWER', 60);
define('ACCESS_LVL_NOACCESS', 0);

then compare it with required level on the beginning of each page.
am i right....?
please correct me if im wrong..

@broj1

this code means:

if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] < 180) {
header('location: logout.php');
}

if the user's access_level is below than 180 it will directly go to the logout page right?

i tried that way, but even the access level is higher that 180, it still directly go to logout page.

if the user's access_level is below than 180 it will directly go to the logout page right?

Yes. It also redirects you to logout if the session variable does not exist.

i tried that way, but even the access level is higher that 180, it still directly go to logout page.

Can you show the code. Have you started the session? Does the $_SESSION['access_level'] exist at all?

@broj1
i already got it..i wrongly put the 'access_level' to another table.. :p

but i have another problem..there is one page, only 2 group(G1 and G3) can access the page..how do i do it..?

@diafol

would you explain a bit more about your method..
there is one page, only 2 group(G1 and G3) can access the page
i think, this problem can be solved with your method..but i'm not sure how to do it..

You can do it using case statement:

if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] < 180) {
    header('location: logout.php');
} else {
    switch($_SESSION['access_level']) {
        case 220 : header('location:restricted_page1.php'); break;
        case 200 : header('location:restricted_page2.php'); break;
        case 180 : header('location:restricted_page1.php'); break;
        default : header('location:logout.php');
    }
}

I haven't noticed your question to me about access levels in one of your previous posts. Have you got those answers yet?

Member Avatar for diafol

would you explain a bit more about your method..
there is one page, only 2 group(G1 and G3) can access the page
i think, this problem can be solved with your method..but i'm not sure how to do it..

No problem - just so that you're aware, broj1 has the solutions that you're looking for. But for completeness and since I left it dangling there, I elucidate:

DB Table

group_id (autonumber) | groupname (varchar) | groupvalue (int)
1 | G1 | 1
2 | G2 | 2
3 | G3 | 4
4 | G4 | 8
5 | G5 | 16
6 | G6 | 32

User Table

user_id (autonumber) | username (varchar) | groups (int)
23 | diafol | 7
45 | eros | 17

The above means:
diafol is a member of groups G1, G2, G3 (1 + 2 + 4)
eros is a member of groups G1, G5 (1 + 16)

I suppose you could create your constants dynamically.

define("G1", 1);
define("G2", 2);
define("G3", 4);
define("G4", 8);
define("G5", 16);
define("G6", 32);

$usergroups = 34; //this would be set from DB on login - 34 only made up from 2 + 32

if($usergroups & G1)echo "G1"; // (34 & 1) - no match
if($usergroups & G2)echo "G2"; // (34 & 2) - match!
if($usergroups & G3)echo "G3"; // (34 & 4) - no match
if($usergroups & G4)echo "G4"; // (34 & 8) - no match
if($usergroups & G5)echo "G5"; // (34 & 16) - no match
if($usergroups & G6)echo "G6"; // (34 & 32) - match!

But for completeness and since I left it dangling there

Still very nice example of using bitwise operators. Useful in other cases, too, like PHP error reporting.

@diafol

$usergroups = 34; // this would be set from DB on login

what do you mean by that?would you explain a bit more. i don't understand..

@broj1

i tried to do you way..but it wont work...it takes me to the logout page.
This how i do it..here are my codes

 <?php
session_start();

   if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] > 100) {
header('location: logout.php');
} else {
         switch ($_SESSION['access_level']) {
            case 220 : header('location:borangK8.php');
            default : header('location:logout.php');
        }
    }

?>
Member Avatar for diafol

1) You need to place exit; after a header();
2) Check the value of $_SESSION['access_level'] with an echo immediately after the session_start();

This should block the header() as it causes output, but at least you'll see the value on the screen.

It would be also expected that you logout visitors with access level less than 100, not greater than 100. The higher the acces level the more rights the user has. Like below:

if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] < 100) {

This is how i do it. for the case 200 and case 180, its working just fine..
but for the case 220 it doesn't work, when the user with access_level = 220, it have an
error: the page isn't redirecting properly.

 //  checking a system access level
   if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] < 100) {
header('location:mainBaru.php');
} else {
         switch ($_SESSION['access_level']) {
            case 220 : header('location:borangK8.php');
                break;
            case 200 : header('location:mainBaru.php');
                break;
            case 180 : header('location:mainBaru.php');
                break;
            //default : header('location:logout.php');

            exit();
        }
    }

The only thing I can come up with is that the url might be incorrect. Have you checked spelling?

i already checked the spelling..there is nothing wrong with the spelling..
this page called "borangK8",
the user can access this page are access_level 220 and access_level 100. the user with access_level 220 having the problem: the page isn't redirecting properly.. is it because of this code?

case 220:header('location:borangK8.php');
                break;

Check if $_SESSION['access_level'] is really 220. You can also try to put the line

header('location:borangK8.php');

on top of the script to see whether redirection works.

Also make sure no html (not even a space) is sent before header() function. Check your script and included files for output.

yeay i know what happened.it is because, the include page are redirecting to itself. so, it will cause the page isn't redirecting properly...

so i change my code like this:

if(!isset($_SESSION['access_level']) || $_SESSION['access_level'] < 100) {
header('location:mainBaru.php');
} else {
        switch ($_SESSION['access_level']){
            //case 220 :header('location:borangK8.php');
                //break;
            case 200 :header('location:mainBaru.php');
                break;
            case 180 :header('location:mainBaru.php');
                break;
            //default : header('location:logout.php');

            exit();
            }
        }

haha..silly me..i shouldn't include this code :

case 220 :header('location:borangK8.php');
            break;

it will attempt to redirect indefinitely.
and thank you @broj1 and @diafol for helping me..
i really appreciate it..

alright guys..i've got it..i know what happened actually,this is because I include the page that i want redirecting to. If you do, it will attempt to redirect indefinitely.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.