I have a php page which shows several links as options (i.e. a simple menu), but I need to validate the logged in user and/or its assigned group to see if they have access to each option.
Let me explain with an example.
my "menu.php" page has a simple html listing of links, e.g.:
option1.php
option2.php
option3.php
...
optionN.php
[i am obviating the html code, just showing the logic]
Now, each option should be only visible to certain groups and or users. For example, group 1 has access to options 1,2,5, group 2, to options 2,4,5, group 3 to options 1 and 6, userA to options 3,4, userB to options 4,6 and so on.
I only need to have permission to either the single user or to their group to give access, IN other words, its an OR condition, either the group OR the user, not necesarily both.
I receive both the user and the group via the $_SESSION variable, so i can validate it directly.
Now, what is the best way to structure the script to validate each options permision?
I currently don't have the option to use databases to store the permisions, so i need to do it all within the code (hard coded).
An idea I have is to create several arrays, both for each option, and in each to store the ids of each group and user that have access to it, for example.
$option1_Users[1,2,4,5];
$option1_Groups[3,5];
$option2_Users[2,5,7];
$option2_Groups[1,6,12];
...
... and so on, and then just nest every link with a validation, something like:
if( in_array($logged_user,$option1_Users) || in_array($logged_group,$option1_Groups){
echo option1.php; //the html for the option 1 link
}
That way, each time an option is going to be echoed, i verify if the user/group has access to it.
Although it would work this way, I think it is very dirty and with lots of arrays (twice for each option). Is there a better way to do all this? Is there a "common" or standard way to achieve it? What else besides arrays and plain ifs could i use?
Notes: -Each user can belong to several groups and each group can have several users (many to many relationship), but this is irrelevant, because I can validate either in the script.
-the main "menu.php" already HAS database validation to access to it, based on the Group of the user (if the group doesn't have permissions, the user simply cannot enter the menu), but currently it only works to allow access to the menu itself, but within it, i need to validate again what specific options that user/group can see.
-I currently need the solution to be hardcoded (i know, dirty, but i need the script to validate everything on its own, not depending on databases to know the permissions), but if you have a solution involving databases and storing the permissions there, feel free to mention it , and how to implement it.
thanks.
This is not a great solution but help you to make your code a little cleaner
Instead of making a bunch of arrays for each option you could make one master array.
$options = array(1 =>array('users' => array(1,2,3,4,5), 'groups'=>array(3,5))))
foreach($options as $option=>$perms) {
if( in_array($logged_user,perms['users']) || in_array($logged_group,perms['groups']){
echo '<a href="option.'.$option.'.php">Option '.$option.'</a>';
}
}
Like I said before the is not the ideal solution for this problem if you already have permissions coming form the database to handle other parts of the menu you should be using that and not create two section of permissions code. Also hard coding as you noted is not ideal and may end up causing you a headache sooner than you think.
You probably want to use an authorization framework that'll let you express your scenarios. Have a look at XACML (http://www.webfarmr.eu/2012/11/call-out-to-a-xacml-policy-decision-point-pdp-from-php/) which supports externalized, policy-based authorization.
It seems like Sentry provides an AuthZ framework for PHP too: http://docs.cartalyst.com/sentry-2